Re: Calendaring?

[Steffen Nurpmeso]

Ken Hornstein wrote in
 <20231102201740.80A852F57E@pb-smtp21.pobox.com>:
 |>The all-embedded RFC 7265 JCAL (plus JMAP etc) is surely the
 |>future for all of you.
 |
 |I get the feeling there's some scorn in that statement.  I'm not trying
 |to drag anyone else's choices; it's tough to find the right balance
 |between "keeping up with the times" and "sticking with stuff you know
 |that works just fine".  I can only offer (when asked!) how I came to
 |make the decisions I chose.
 |
 |>Unfortunately no Yubikey/-alike thing yet, so i type my harddisk
 |>decryption key, then my password, then the password of an
 |>additional encfs filesystem, and then have a script which loads
 |>keys into ssh-agent aka provides decrypted versions for easy
 |>consumation (via copy+paste or so).  The browser "container" which
 |>(actually) has passwords is special and also stores in such a one.
 |>(Also decrypted by that script.)
 |
 |I can only say that my personal security is NOT designed to defend against
 |nation-state level attacks :-)  But maybe it should be?

Hm, i .. could imagine you are more familiar with these kind of
things, as a higher ranked former army computer specialist, in
reality.  Ie, one hears this and that, in the end.

The topic itself -- i do not know.  I tend to totally agree with
your statement, but then again, not.  I mean there is nothing
i would have to be ashamed of or that could make me blackmailable.
But i do have SSH keys to other people's computer(s) (networks).
I have S/MIME and PGP (and signify) key.
There is access to a bank account, and i make a living from that
alone, one bank, one account.  At some time, make one of three.

I never had cold security (hard disk encryption) in the past, but
then did it in 2021.  It was easy, and these NVME things have
a sheer unbelievable (really: totally mind blowing) I/O
performance regardless.
I did not even have any disk or folder encryption at all until
2019, only the distributed backups were PGP encrypted.
By then i was of the opinion that this is not enough, with the
laptop all over the place, but i do take care quite a bit when
i have the laptop around, so a forced "armed" robbery would have
been necessary.
So first came the encfs, at the same time i replaced backups with
filesystem snapshots.  But the cold security problem was then
nagging, and so i did that, too, keeping the rest "as-is".  Works
just fine.  Surely no protection against forced power against me
as a human factor still.

Btw i kept an email of Theodore Ts'o from openssl-dev@ of 2014,
where he describes his workflow as

  ..
  % git tag -s[.]
        <Insert smart card, type the pin to create the GPG signed tag>
  ..
  % git push ssh://[.]
        <Type pin to unlock the ssh key, which is also on the smart card>
  ..
  (I have aliases and shell scripts for most of this, but I've expanded
  all of this out for clarity.)

Today they all use these cards which even require hands-on.
In this hindsight i am still too relaxed.
I even talked to one Yubikey user who was totally grazy about that
"forced power" issue praying against his wall "i have no idea what
the password is" "i really cannot tell you anything about the
password as i do not know it, i have never seen it" etc.  If they
get him, they get a thing.  That much is plain.

--steffen
|
|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)