| 1 |
-----BEGIN PGP SIGNED MESSAGE----- |
| 2 |
Hash: SHA512 |
| 3 |
|
| 4 |
On 12/28/2015 07:35 PM, Rich Freeman wrote: |
| 5 |
> On Mon, Dec 28, 2015 at 10:07 AM, Kristian Fiskerstrand |
| 6 |
> <k_f@g.o> wrote: |
| 7 |
>>> On 28 Dec 2015, at 15:58, James Le Cuirot <chewi@g.o> |
| 8 |
>>> wrote: |
| 9 |
>>> |
| 10 |
|
| 11 |
|
| 12 |
> That concern is hardly unique to phones. PCs suffer just as much |
| 13 |
> from this problem. The solution could potentially be the same. |
| 14 |
> For |
| 15 |
|
| 16 |
But here we already have smartcards (that everyone should and _is_ |
| 17 |
using... right?) |
| 18 |
|
| 19 |
> signing it is a straightforward problem since there is nothing to |
| 20 |
> be kept secret except the key material itself (just send the |
| 21 |
> message to the signing device, and return the signature back). For |
| 22 |
> encryption |
| 23 |
|
| 24 |
for clarity (and what I think you already mean), the message in this |
| 25 |
case is the message to be signed (which is likely a blinded hash or |
| 26 |
something, so much shorter than the original data) |
| 27 |
|
| 28 |
> you have additional challenges if you want to be able to make any |
| 29 |
> use of the plaintext without it getting stolen - once decrypted it |
| 30 |
> is only secure as any device that comes in contact with it. And |
| 31 |
> there is no |
| 32 |
|
| 33 |
Indeed, but at least the device won't be able to decrypt further |
| 34 |
communication as it'd only have access to the session key of the |
| 35 |
particular message. Loosing control of the private (sub)key is |
| 36 |
substantially worse, so that might actually be ok for the security |
| 37 |
parameters of the users. |
| 38 |
|
| 39 |
> reason that mobile and browser frameworks couldn't talk to such |
| 40 |
> devices with the right standards. |
| 41 |
> |
| 42 |
> If it were up to me the government would hand out signing devices |
| 43 |
> just as they hand out passports. |
| 44 |
|
| 45 |
This already happen in several countries, including Germany and on a |
| 46 |
semi-related variant Norway (its government approved to sign |
| 47 |
electronically using BankID, where the banks does the verification). |
| 48 |
In germany there is even a CA that checks the government ID and |
| 49 |
certify OpenPGP keys based on it. |
| 50 |
|
| 51 |
- -- |
| 52 |
Kristian Fiskerstrand |
| 53 |
Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net |
| 54 |
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 |
| 55 |
-----BEGIN PGP SIGNATURE----- |
| 56 |
|
| 57 |
iQEcBAEBCgAGBQJWgpGGAAoJECULev7WN52FHM4H/3hRy9UcmNtQ9cXOKR6xvwPy |
| 58 |
jso78Adi2EP4rGdMJrczBO7ymG5NSxF3rtVel1UjyYfT8x3MEgPfyyG26yGUOo6X |
| 59 |
tyL5dBiZ6dLCDMDAJdc3tTuLkgaRCkyPZFva6qOp3DgHMAez+wQTKTkmzpMGmG8M |
| 60 |
UxqrUWOS/7cGx5Dp+GOYWqd6nx+xrzwg63UbZqstwpPGZVp1BzI/Cat0KQv2j+q1 |
| 61 |
SU7IKvl4B2HmuL7BeZrc1H7Vj4BmUC1bgw5jnaA0E5oAsHvYefVxBQkt6sroxrbJ |
| 62 |
8cXm4NGFRrLf4YkO/x7T7CRxnVLcGKdNkrKJDquCcsPHbc9oR44JBiXdO4OaWd4= |
| 63 |
=dIzk |
| 64 |
-----END PGP SIGNATURE----- |
Archives