Re: wanted: educate us please on key dongles
On Wed, Aug 30, 2017 at 12:50:53PM +0200, Marc Haber wrote:
> On Wed, Aug 30, 2017 at 12:42:13PM +0200, Adam Borowski wrote:
> > * with Yubikey 4 (suspected): they send the secret handshake, get a
> > copy of the key, and you don't even know anything happened
> That's a point, but I cannot validate whether the free hardware design
> running the free software crypto app isn't backdoored anyway due to
> lack of knowledge and expertise.
If you're not interested in anything where you're not able to do all of
the validation yourself, why are you asking us for advice only to then
say you don't see the point of the recommendations given?
At the risk of trying to teach my grandmother to suck eggs, the
advantage of an open hardware + software design is that even if you
yourself are unable to fully validate the security of the device there
is the opportunity for others to do so and share their findings.
(I do not claim to have done any security investigation of the GnuK
code, but I have successfully built and installed it using only tools
available in Debian.)
/-\ | No thanks, I'm already having one.
|@/ Debian GNU/Linux Developer |