Enable KDF-DO on a populated GNUK

NIIBE Yutaka gniibe at fsij.org
Thu Jan 28 03:56:39 CET 2021


KDF-DO should be used, that is common practice for using Gnuk.

Szczepan Zalega  wrote:
> From my tests it turned out that currently with the recent GNUK 1.2.15
> and GnuPG 2.2.25 it is not possible to set up a KDF-DO on a populated /
> personalized device (with keys). As a user I would like to have such
> option, so I would not be forced through factory reset.

No, it's not possible for Gnuk.  Originally, when it was proposed, it
was designed/implemented that KDF-DO setup should be done with no key
materials.  And Gnuk keeps this constraint.

Well, I'm afraid that convenience here introduces complexity of
implementation and confusion about how KDF-DO should be used.

Given the situation that it is not currently supported, if it will be
supported by someone else in future, a user has to do flash new firmware
losing keys on card, anyway, so, I don't think adding this new option
makes any sense.

Rather, for me, it makes sense to go opposite direction, instead; ... to
refuse keytocard/key-generation when KDF-DO is not available.

> Is having this GnuPG [1] patch sufficient to make that work, or are
> there any changes needed in the GNUK itself?

No, the patch is supporting other implementations of OpenPGPcard.

More information about the Gnuk-users mailing list