Smart card interface, why so many daemons ?
wk at gnupg.org
Thu Aug 4 09:46:43 CEST 2005
On Wed, 27 Jul 2005 10:21:37 +0200, Laurent Pinchart said:
> - PC/SC
Only required if you don't want to go with the internal CCID driver.
> - pcsc-wrapper (not really a daemon here, but a separate process)
This one is required to workaround the pthreads/pth conflicts. Having
a libpsclite build without pthreads would make it needless.
> - scdaemon
Accesssing smartcards but due to the nature of smartcards, does not
require to handle any sensitive (read private key) data.
> - gpg-agent
Manage private keys. Smartcards are different and thus gpg-agent will
delegate operations to it. It is easier to have a single process to
manage all sign and decrypt operations than to let the actual
application decide whether to go to the gpg-agent or to the smartcard.
> I understand the argument that, for security reasons, GnuPG can't be made a
> library, but will stay a separate process (with gpgme helping to communicate
> with that process). Are there security issues with scdaemon and
> pcsc-wrapper ?
Not for pcsc-wrapper. I don't want to have all that code for
smartcards in the same process having access to private keys
(gpg-agent). This is a general precaution and will urther help
systems like SELinux to better protect private keys stored on disk.
More information about the Gnupg-devel