On 11/11/20 9:29 AM, Andrei Borzenkov wrote:
Second, I'm happy to report that message signing and encryption works with Smartcards! How exactly encryption is related to smartcard? Encryption is using
11.11.2020 18:40, Lew Wolfgang пишет: public key of recipient while smartcard contains your own secret key.
That's serious question, I probably miss something obvious here.
Smartcard-based encryption is the key usage case for them. To the best of my knowledge, they don't interoperate with PGP. I'm certainly no expert on this, but you're correct, the private key lives on the smartcard and can't be used as the argument to the RSA encryption software until unlocked with a PIN. Even then it never leaves the card itself, only the encryption products leave the card. Thus the smartcard is an integral component of its PKI environment. With the smartcard pin, you have true two-factor authentication and security. Getting Thunderbird working with smartcards in the beginning wasn't easy. The error messages were opaque and there were too many moving parts. The Muscle packages, then PCSC with it's various reader drivers, the libcoolkey middleware, then Thunderbird itself and the handling of root certificate authorities made for many interesting problems. Our most recent problem was an incompatibility with new PIV smartcards, which was solved by using OpenSC instead of coolkey. Considering the PGP problems we've been hearing about, it was a relief to see that the smartcard ecosystem still works with the new Thunderbird version. All of my hundreds of saved public certs are still there and usable too! If it's any consolation, our Windows users have more problems with smartcards than do my openSUSE users. Regards, Lew