ietf-openpgp
[Top] [All Lists]

Re: [openpgp] saltpack on OpenPGP message format problems

2016-03-02 01:30:07
Hello,

Phillip wrote:

I think one point that has been massively overlooked by traditional
crypto applications is the need to store private keys securely. In
particular, it should be possible to fix private keys to a device such
that the key can be used on that device but it is not possible to
remove the key from the device and install it on another device
without 'heroic' efforts (e.g. uncapping the CPU and reading it with a
scanning electron microscope).

You seem to be talking of PKCS #11.  It's possible to use that under
OpenPGP but I've found the GnuPG implementation made it difficult.
Unlike the PGP card, which is more specific to the OpenPGP purpose,
this is a general standard for which many implementations exist in
USB sticks, ranging up to HSMs and even software low-end solutions.

FWIW, I had no problem implementing PKCS #11 for OpenPGP,

https://github.com/arpa2/tlspool/blob/master/tool/pgp11_genkey.c

This is only key generation (including self-signing) which is what I
needed for this project (which moves TLS to a daemon that uses PKCS #11)
but other things can also easily be moved to OpenPGP implementations.

Cheers,
 -Rick

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp

<Prev in Thread] Current Thread [Next in Thread>