scd: ambiguous certificate IDs for pkcs#15 certificates

Werner Koch wk at gnupg.org
Mon Feb 19 14:55:11 CET 2024 

Hi Mario,

> For this card, all certificates have the same ID tag for each key (2 or 3 in 
> the example), as they are part of the same certificate chain. Thus the 

I have not checked the specs but I think this is Bad Idea even if
allowed. Clearly we will run into problems.

> Is there a way to avoid this unambiguity? Would it for example be possible to 
> use the path ID of the certificate file instead of the ID tag in the 

This would not solve the case if we have several certificates in one
record.  My proposed solution is to add a counter if there is any
duplicate id.  For already supported cards this should not matter and
the worst thing will be that the currently used IDs change - but they
are anyway dynamically assigned.

> Is this mailinglist the right place to discuss this issue or should I open a 
> task in the issue tracker?

Sure.  Here you get your audience.  Nevertheless I also created
https://dev.gnupg.org/T7001 for tracking.

>       0C UTF8String (32 bytes): Root-CA-Zertifikat fuer Signatur

Interesting that they provide the root CA's cert.  I doubt that this is
of any great help given that the verifier still needs to get that cert.
And everyone needs to assign trust to that certificate anyway.

Attached are two patches which I could not test.  Please let me know
whether they work for you.


Salam-Shalom,

   Werner

-- 
The pioneers of a warless world are the youth that
refuse military service.             - A. Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-scd-p15-Take-derive-usage-into-account-for-decryptio.patch
Type: text/x-diff
Size: 4150 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20240219/95d30be7/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-scd-p15-Handle-duplicate-certificate-ids.patch
Type: text/x-diff
Size: 3790 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20240219/95d30be7/attachment-0001.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openpgp-digital-signature.asc
Type: application/pgp-signature
Size: 247 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20240219/95d30be7/attachment.sig>

More information about the Gnupg-devel mailing list