[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

OT: Smartcards and Physical Security

Le mardi 02 décembre 2003 à 17:19:22, Tom a écrit:
> Smartcards would have avoided the Debian compromise: merely having a 
> compromised DD box would have prevented bad guy from getting on the box.

For those interested in smartcards I maintain most of smart card related
Debian packages. See [1] (but people.d.o is down now) or [2].

Some smart card projects are also on Alioth [3, 4, 5].

I am also working on OpenSC [6] and I may package it for Debian in the

So smart card solutions _already_ exist for a Debian system.

> I think the DD's should seriously think about requiring smartcards.  It 
> would have prevented the proxmiate cause of our recent troubles.

I agree that smart cards would help. It is another layer of security.

But I think it would be too expensive in term of money and time for

A smart card reader: $30
A smart card: $10~$20
So for 1000 DD that is $40,000. We could also ask each DD to buy the
hardware but I don't think we (Debian) can reasonably do that.

The biggest problem I see is on the card management. This may be very
time consuming since smart cards would be: lost, stolen, blocked after 3
wrong PIN, PIN would be lost, etc.

I don't see why it would be easier (faster) to generate/add a new smart
card than it is now to update/include a new GnuPG key in the keyring for
GnuPG keys that have been lost, compromised, etc.

You can use a smart card to store your GnuPG and SSH private keys. The
crypto will be done in the smart card and the private key will never
leave the card.  But I don't think Debian can impose such a solution for
every Debian developer.

Of course we can discuss the question and I will try to help.


[1] http://people.debian.org/~rousseau/smartcard.html
[2] http://qa.debian.org/developer.php?login=rousseau
[3] http://pcsclite.alioth.debian.org/
[4] http://muscleapps.alioth.debian.org/
[5] http://muscleplugins.alioth.debian.org/
[6] http://www.opensc.org/

 Dr. Ludovic Rousseau                        Ludovic.Rousseau@free.fr
 -- Normaliser Unix c'est comme pasteuriser le camembert, L.R. --

Reply to: