Smart card interface, why so many daemons ?

Werner Koch wk at
Thu Aug 4 09:46:43 CEST 2005

On Wed, 27 Jul 2005 10:21:37 +0200, Laurent Pinchart said:

> - PC/SC

Only required if you don't want to go with the internal CCID driver.

> - pcsc-wrapper (not really a daemon here, but a separate process)

This one is required to workaround the pthreads/pth conflicts. Having
a libpsclite build without pthreads would make it needless.

> - scdaemon

Accesssing smartcards but due to the nature of smartcards, does not
require to handle any sensitive (read private key) data.

> - gpg-agent

Manage private keys.  Smartcards are different and thus gpg-agent will
delegate operations to it.  It is easier to have a single process to
manage all sign and decrypt operations than to let the actual
application decide whether to go to the gpg-agent or to the smartcard.

> I understand the argument that, for security reasons, GnuPG can't be made a 
> library, but will stay a separate process (with gpgme helping to communicate 
> with that process). Are there security issues with scdaemon and 
> pcsc-wrapper ?

Not for pcsc-wrapper.  I don't want to have all that code for
smartcards in the same process having access to private keys
(gpg-agent).  This is a general precaution and will urther help
systems like SELinux to better protect private keys stored on disk.



More information about the Gnupg-devel mailing list