[guardian-dev] OpenPGP Keychain 2.1 with new API

David Holl david at ad5ey.net
Tue Sep 10 12:29:17 EDT 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On Tue, Sep 10, 2013 at 05:44:33PM +0200, Natanael wrote:
> While mentioning smartcards, the Yubikey Neo seems to have an
> OpenPGP smartcard mode (that needs to manually actiated in
> firmware), could that work with this app?

I would hope so.  Does the Neo claim to be compatible with the open
specification?  http://g10code.com/docs/openpgp-card-2.0.pdf

> Then you'd always have a hardware protected keypair (if you don't
> lose your Yubikey), so even rootkits can't get your private key.

Exactly!  :)  Rootkits or compromised firmware...  And even if a
compromised device does cache my pin and use my card (while briefly
inserted), I hope to be alerted of any illicit accesses courtessy
of the signature counter built into the card.

There seem to be at least 3 potential "cards" that I'm aware of:
	OpenPGP SmartCard V2
	Yubikey Neo
	Crypto Stick https://www.crypto-stick.com/

(I put "cards" in quotes, because the Crypto Stick includes a
"thumb" form-factor USB interface.  Though not as tiny as the
Neo, it still supports 4096 bit keys.)

- - David

Aside:

I selected the OpenPGP SmartCard V2 for my personal use, because
the Crypto Stick has been out of stock for a while, and the Yubikey
Neo appears to only support 2048 bit keys.  If I really want the
"thumb" form factor of the Crypto Stick, I may try popping out the
ID-000 minicard from the OpenPGP SmartCard and putting it into a
"Gemalto USB Shell Token V2" (aka the "IDBridge K30").  Otherwise,
the "SCM SCR3500" reader is almost small enough for use on a key
chain, and is widely available at reasonable prices.  (about $40
total for a SmartCard V2 with a SCM SCR3500 reader.)
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJSL0jdAAoJEDnNbkIYxVca7psP/1oJT7/IFofnfM8Qs4ugb7RJ
1P3jeZHKD7QtgGtRQk4kUYypvxZq56xGQd2k2hZSUtVYrmewj//Siyi9cpIRrdts
h2XUi5RhOUCT6Rz/Zd8Mti0urcEghbxaDHjUa4JichEOlKRAjZsQjc0xnHsuyauw
TBGCuOeAhw9gCuKrXOpHnzwnRtcmBRcxLrOn+q9cQCx8EkdEiQgklMl5qqzNpOa3
VnvvMNk5wZ144WUYd5F78Tn9ssDEO/Jt1DO6WtWEJq5DjTAZVxyRXVp1/7e6/se9
haiUJu8Zl8Co7HeLZBtJlNDG2pzqiQu5vCywZyprMFf0ZNpLwpvP7iLmuz2n5R16
0EYQJ5z3g5c2YLivIawxzUO+26gXEDLpFZZFzRf8zobnfYhvqjQFPNU3HtR/jp34
UPgg3urHlUIvGPns3/Z2pfIuyru7uUfLZEWHPiPx/g4pFBLrZAdzyRJZOJ9SWCtd
eNdfNGtMf/XfRYyb4eYlEUxEdvt0qJ8M9u+/1jPupDYvVhn/feFgZE/cumlv+AM3
VFA8HvQ1grDgW9JL4KkUCuasEpAjJo9on7AGx0SrKiHyYKSjOCR183yzlckoOz8c
O5hhbGb07hL4cfGAIDJ7rBwAliejyrZ2OBHpyLvJ3Eanwbdux72saIcEvmStDK5L
MI3+5DeZoV0vBUVmkgxp
=pa6I
-----END PGP SIGNATURE-----


More information about the Guardian-dev mailing list