Improvement suggestion: README for tap-to-sign

[Tycho-S]

I totally agree with the "Security Considerations" part of the readme, especially when it comes to unlocked smartcards:

To get better protection out of use with a smartcard even against a targeted attack I can think of at least two options:

• The smartcard must require explicit confirmation for each decryption operation.

I would like to point out that the often-used Yubikeys (also mentioned in that paragraph later on, have a feature called "touch to verify" which does exactly what you want here, and it can be turned on for OpenPGP. It is however a fairly 'hidden' feature, not everyone knows about. It can be enabled in Yubikey Manager. I think it would help to add this information to that section (and also to raise awareness of this feature so that hopefully other smartcard/key providers will start providing the same functionality.

There's also one other workaround I could suggest:

• With regular smartcards I remove them from the reader as soon as I've decrypted a password, to avoid them from being used by malware, this workaround is also not mentioned. This is especially easy with NFC use.

[issue-label-bot]

Issue-Label Bot is automatically applying the label feature_request to this issue, with a confidence of 0.96. Please mark this comment with 👍 or 👎 to give our bot feedback!

Links: app homepage, dashboard and code for this bot.