On 11/15/20 4:10 PM, David C. Rankin wrote:
On 11/11/20 1:45 PM, Lew Wolfgang wrote:
Getting Thunderbird working with smartcards in the beginning wasn't easy. The error messages were opaque and there were too many moving parts. The Muscle packages, then PCSC with it's various reader drivers, the libcoolkey middleware, then Thunderbird itself and the handling of root certificate authorities made for many interesting problems. Our most recent problem was an incompatibility with new PIV smartcards, which was solved by using OpenSC instead of coolkey. Why on God's Green Earth would anyone care about encryption from a smartcard? (no, using a public computer with a key on a card doesn't make sense) If my OS booted, and I'm logged in, then authentication is done. I'm a Linux user, I just want Thunderbird to work with my gpg keys. (as was done for more than a
Sorry if I wasn't clear, David. Smartcards are used for two-factor authentication and encryption. A user has to possess the token (smartcard) and the knowledge to unlock the token (PIN). The authentication is used to access restricted web sites, digital signing of messages is used for non-repudiation, and of course there's the encryption part. The cards wouldn't normally be used on public computers, they would lack the readers and software. Plus, organizational policy would usually forbid it. Only organizationally approved computers are used, to the best of my knowledge.
Why we are throwing gpg out for some half-baked Windows PGP replacement that can play with smartcards? To me, that is another shining example of why radical usage breaks should be forks of projects and not lurches in a different direction of an existing project. No wonder small businesses won't gamble on Linux desktop, we keep slapping them in the face with costly tail-chasing changes that cost just as much to support as changes by the other side.
The Smartcard stack is independent from gpg and decendents. Smartcard support in Thunderbird has existed for many years, I was relieved that this new PGP didn't interfere with existing Smartcard support. https://blog.identityautomation.com/two-factor-authentication-2fa-explained-... Regards, Lew