OT: Smartcards and Physical Security

To: debian-devel@lists.debian.org
Cc: Russell Coker <russell@coker.com.au>
Subject: OT: Smartcards and Physical Security
From: Ludovic Rousseau <ludovic.rousseau@free.fr>
Date: Wed, 3 Dec 2003 20:43:25 +0100
Message-id: <[🔎] 20031203194325.GB26530@acer.maison.bogus>
Mail-followup-to: debian-devel@lists.debian.org, Russell Coker <russell@coker.com.au>
In-reply-to: <[🔎] 20031203011922.GA2828@comcast.net>
References: <[🔎] 3FCBCF99.3000907@sentinel.dk> <[🔎] E1AR6Vn-0001YY-Vx@mid.downhill.at.eu.org> <[🔎] 20031202232021.GA32333@daedalus.andrew.net.au> <[🔎] 200312031117.19034.russell@coker.com.au> <[🔎] 20031203005423.GA1132@daedalus.andrew.net.au> <[🔎] 20031203011922.GA2828@comcast.net>

Le mardi 02 décembre 2003 à 17:19:22, Tom a écrit:
> Smartcards would have avoided the Debian compromise: merely having a 
> compromised DD box would have prevented bad guy from getting on the box.

For those interested in smartcards I maintain most of smart card related
Debian packages. See [1] (but people.d.o is down now) or [2].

Some smart card projects are also on Alioth [3, 4, 5].

I am also working on OpenSC [6] and I may package it for Debian in the
future.

So smart card solutions _already_ exist for a Debian system.

> I think the DD's should seriously think about requiring smartcards.  It 
> would have prevented the proxmiate cause of our recent troubles.

I agree that smart cards would help. It is another layer of security.

But I think it would be too expensive in term of money and time for
Debian.

A smart card reader: $30
A smart card: $10~$20
So for 1000 DD that is $40,000. We could also ask each DD to buy the
hardware but I don't think we (Debian) can reasonably do that.

The biggest problem I see is on the card management. This may be very
time consuming since smart cards would be: lost, stolen, blocked after 3
wrong PIN, PIN would be lost, etc.

I don't see why it would be easier (faster) to generate/add a new smart
card than it is now to update/include a new GnuPG key in the keyring for
GnuPG keys that have been lost, compromised, etc.

You can use a smart card to store your GnuPG and SSH private keys. The
crypto will be done in the smart card and the private key will never
leave the card.  But I don't think Debian can impose such a solution for
every Debian developer.

Of course we can discuss the question and I will try to help.

Regards,

[1] http://people.debian.org/~rousseau/smartcard.html
[2] http://qa.debian.org/developer.php?login=rousseau
[3] http://pcsclite.alioth.debian.org/
[4] http://muscleapps.alioth.debian.org/
[5] http://muscleplugins.alioth.debian.org/
[6] http://www.opensc.org/

-- 
 Dr. Ludovic Rousseau                        Ludovic.Rousseau@free.fr
 -- Normaliser Unix c'est comme pasteuriser le camembert, L.R. --

Reply to:

References:
- Backport of the integer overflow in the brk system call
  - From: Frederik Dannemare <tux@sentinel.dk>
- Re: Backport of the integer overflow in the brk system call
  - From: Andreas Metzler <ametzler@downhill.at.eu.org>
- Re: Backport of the integer overflow in the brk system call
  - From: Andrew Pollock <debian-lists@andrew.net.au>
- Re: Backport of the integer overflow in the brk system call
  - From: Russell Coker <russell@coker.com.au>
- Re: Backport of the integer overflow in the brk system call
  - From: Andrew Pollock <debian-devel@andrew.net.au>
- Re: Backport of the integer overflow in the brk system call
  - From: Tom <tb.31123.nospam@comcast.net>

Prev by Date: Re: [RFC] adding system users: which is the best way??
Next by Date: Re: Backport of the integer overflow in the brk system call
Previous by thread: Re: Backport of the integer overflow in the brk system call
Next by thread: Re: Backport of the integer overflow in the brk system call
Index(es):
- Date
- Thread