Topic: OpenPGP Smartcard + SCR3110 Reader combo - 4.5 BTC (Read 4250 times)

Price adjusted while we float around $10.

Last chance.  Only one more of these left.  I will not order another batch once it's gone.

I bought one and got it in the mail quickly!  And even used the mybitsafe escrow site.  Professional and thorough thru and thru.

Only three more sets left!

The offer for a 10% discount is you test drive my escrow site when paying is still good.

Couldn't hold out for the price to go to 15?  I'll pm you.

Hi kgo, I'd like to take a combo OpenPGP card and reader off your hands, and willing to use an escrow service with the owner.

I'll sell the card only for 1.75.  Shoot me a pm if you're interested.

I don't need the reader - do you only have the card for sale?

I think I'll take one off of you when the price of bitcoins is back up to $15.

Repriced at 3.25 now that bitcoins are below 14.  I'll continue to offer a 10% discount if you test drive my new escrow service when paying.  See my sig for details.

kgo, thanks for the chat on OTC.

As a side note, are you familiar with the technical details of the proposed 'encrypted keys' in bitcoin client 0.3.25||0.4 ? I would posit that the private bitcoin elliptic keys on a smart card would be the most secure form of currency/transaction in existence today. Perhaps you could discuss this with the core developers. Why should they invent their own implementations when we already have decade+ proven technologies?

For this week only, I'll knock 10% off the price if you use my new escrow site to pay.  Offer ends Friday.

(Yes, I know that using my escrow site to send me money doesn't provide additional security.  I just want people to test drive the site.)

Ah yeah I guess gpg itself would be much more secure. Cool.

Sorry for explaining everything, didn't realize what you were asking.

Yes, you'd still be exposed.  This would only protect you from someone who got your encrypted wallet.dat, and your .gnupg directory.  In this case the key wouldn't be in your .gnupg directory anymore.  But it wouldn't protect you while wallet.dat is unencrypted.

I'm intimately familiar with PGP and OTC. Don't get me wrong, this sounds cool (though without integration now I wonder about the work flow/use case). My question is this:

Currently I use GPG to symmetrically encrypt my wallet (gpg -ca wallet.dat). This requires me to create a passphrase as it is not encrypted with my public key. I delete the plaintext wallet.dat. When I want to use the wallet, I (gpg wallet.dat.asc). Then I can use the bitcoin client and when I'm done, I delete the wallet.dat file (perhaps I re-encrypt for backup). This work flow makes me vulnerable to (1) key logging attack and (2) malicious copy while the wallet.dat is on the disk in plaintext.

Now, suppose instead, I use the smart card. Somehow I manage to securely place a copy of my private key on the smart card. Now, when I want to decrypt a wallet (encrypted to me as recipient using public key cryptography) I send the passphrase from my computer to the smart card. The smart card decrypts my wallet.dat and drops it in plain text on my disk.

In both cases, I have exposed myself to the exact same two attack vectors. No?

I had two or three spare cards around.  They were the only thing was able to reliably sell on #bitcoin-otc.  Since the cards come from Germany, shipping can get expensive.  I decided to order a ten pack along with some readers and see if I could sell them all for bitcoins.

You can use gpg to encrypt wallet backups.  I do.  But there are other methods that are just fine.  But there's no direct integration with gpg.

gpg is used more extensively on the #bitcoin-otc web of trust.  If you're unfamiliar, it's a feedback system like Ebay, but based around gpg.  It also lets you ensure that the person you're talking to is indeed the person with the good rating, since someone could log onto the channel with your name.

It's also used some to digitally sign contracts.  You can write out a statement like:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I will deliver one OpenPGP + SmartCard combo to you via priority mail for 3 BTC.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJOGjILAAoJEP5F5V2hilTWxl0H/ip6+3WrXoK8rI+YghnIOJle
gNoW6+xygv8pP4oBR77pYqOtOzQP0LF1GCLX30sPi4tZoAHAAPnpsCdNGCYMKYN/
Sb3fVgH0KEN+4uo+pPm5PmGAdLp9K5kr3U2m+5yUb/ygWjJbTB4nCl4vbxkdhDnN
f0jZIywnbl/mzyWJ664ZAn8Zn2ITX08pUK9VAGsxkuHmoKKfJKMkdkqf+ky09IKc
VVz+LuHolsjkh1+Qi3k4y0ic1+9XbHsreF+wUIP3e11Ao6X+aEEPxZG/dDY2xdIA
jLCYs4ulb5m2r1uDS+1/Eph1iZOsDjfH2KueDt+NBPAkpsX1zYR4mt4AqH9leAI=
=6yS6
-----END PGP SIGNATURE-----

A user can use gpg to verify that you wrote this.  And if you try to deny it down the road they can prove you signed it.  A concept called non-repudiation.

If someone tries to forge the content:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I will deliver a one ounce gold nugget to you via priority mail for 0.3 BTC.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJOGjILAAoJEP5F5V2hilTWxl0H/ip6+3WrXoK8rI+YghnIOJle
gNoW6+xygv8pP4oBR77pYqOtOzQP0LF1GCLX30sPi4tZoAHAAPnpsCdNGCYMKYN/
Sb3fVgH0KEN+4uo+pPm5PmGAdLp9K5kr3U2m+5yUb/ygWjJbTB4nCl4vbxkdhDnN
f0jZIywnbl/mzyWJ664ZAn8Zn2ITX08pUK9VAGsxkuHmoKKfJKMkdkqf+ky09IKc
VVz+LuHolsjkh1+Qi3k4y0ic1+9XbHsreF+wUIP3e11Ao6X+aEEPxZG/dDY2xdIA
jLCYs4ulb5m2r1uDS+1/Eph1iZOsDjfH2KueDt+NBPAkpsX1zYR4mt4AqH9leAI=
=6yS6
-----END PGP SIGNATURE-----

Then it can be proven that the document has been tampered with.

These cards just provide a more secure way to store your gpg keys.

kgo, pretty cool. What's your connection to this? Or you just happen to have a short dozen you want to sell?

How does this relate to bitcoin? Do you encrypt your wallet to yourself? I conventionally/symetrically encrypt the wallet, so I'm vulnerable to key loggers and of course during the few minutes while the wallet remains in use on my disk.

Only 8 more left!

I'm willing to ship internationally, but would need to get a price quote on shipping first.

+1 looks good  im a bit poor to buy this at moment + im in AU