OpenPGP smartcard restore

Ingo Klöcker kloecker at kde.org
Tue Jun 13 19:37:31 CEST 2006


On Tuesday 13 June 2006 19:03, markus reichelt wrote:
> * markus reichelt <ml at mareichelt.de> wrote:
> > Essentially you're saying: no backup of a private key generated
> > on/via a smartcard cannot be exported. Because if it could be
> > exported, importing the key(s) in question just works.
>
> Sorry, that was heat-induced and shall read of course as follows:
>
> Essentially you're saying: a private key generated on/via a smartcard
> cannot be exported, so no backup of the private key in question is
> possible. Because if the private key(s) could be exported, import of
> the key(s) in question just works without problems.
>
> The rest of my message still stands though.
>
> Bottom line, what's the use of importing to smartcards when no export
> from smartcards is possible?

Obviously, to be able to import keys which were generated off-card. 
Because some people don't seem to be able to sleep without a backup of 
the private key.

> In other words: Why is the export of 
> plain smartcard private keys prohibited in the first place?

Is that a trick question? Short answer: Security. Longer answer: It's 
prohibited because if nobody can export the private key from the 
smartcard then nobody can steal the private key without your knowledge. 
You would surely notice that your smartcard is missing but you might 
never know that some trojan horse has stolen your private key.

> Additionally, why is importing of off-card generated private keys
> allowed then?

See above. Other use case: My key is signed by many people. If I 
couldn't import my key to a smartcard (well, I think I can't because 
it's no RSA key, but let's pretend for the moment that it were an 
importable key), then I'd have to regather all those signatures again 
for my new on-card generated key.

Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/attachments/20060613/98564fe9/attachment.pgp


More information about the Gnupg-users mailing list