Enable KDF-DO on a populated GNUK
gniibe at fsij.org
Thu Jan 28 03:56:39 CET 2021
KDF-DO should be used, that is common practice for using Gnuk.
Szczepan Zalega wrote:
> From my tests it turned out that currently with the recent GNUK 1.2.15
> and GnuPG 2.2.25 it is not possible to set up a KDF-DO on a populated /
> personalized device (with keys). As a user I would like to have such
> option, so I would not be forced through factory reset.
No, it's not possible for Gnuk. Originally, when it was proposed, it
was designed/implemented that KDF-DO setup should be done with no key
materials. And Gnuk keeps this constraint.
Well, I'm afraid that convenience here introduces complexity of
implementation and confusion about how KDF-DO should be used.
Given the situation that it is not currently supported, if it will be
supported by someone else in future, a user has to do flash new firmware
losing keys on card, anyway, so, I don't think adding this new option
makes any sense.
Rather, for me, it makes sense to go opposite direction, instead; ... to
refuse keytocard/key-generation when KDF-DO is not available.
> Is having this GnuPG  patch sufficient to make that work, or are
> there any changes needed in the GNUK itself?
No, the patch is supporting other implementations of OpenPGPcard.
More information about the Gnuk-users