On Wed, 2018-08-22 at 15:48 +0200, Kristian Fiskerstrand wrote:
> On 08/22/2018 03:37 PM, Michał Górny wrote:
> > This is one attack vector that -- AFAIU -- hardware tokens protect
> > against. 
> 
> Right, although it only shifts the attack, so user would just wait until
> the token is available to perform whatever wanted anyways. In terms of
> after the attack, the difference is we don't really use OpenPGP as a
> long term identify such as it is in general. For a user, losing WoT etc
> can have an impact, for Gentoo we just update LDAP and access is
> effectively revoked without further issues, we don't need the key
> material to survive this attack to be used after the fact again, which
> is really what the hardware token helps for.
> 

We're talking about 'the burglar can come into the house when the door
is unlocked' vs 'the burglar has the key and can come and go as he
pleases'.  You make it sound like there's no difference.

-- 
Best regards,
Michał Górny