Some bits about SCdaemon

Werner Koch wk at gnupg.org
Fri Mar 16 08:38:23 CET 2007


On Fri, 16 Mar 2007 04:17, simon at josefsson.org said:

> Adding that functionality would be really useful for GnuTLS.

Okay.  Before I add this command it will be very useful to store
attributes along with the private keys.  For example capabilties of
the key (so that a signing is not accidently use for decryption).

> Another idea is for gpg-agent to present a pull-down list with private
> keys, and have the user chose one of them.  Mozilla works this way
> when you have multiple private keys locally.

That is too much user interface for gpg-agent.  A frontend can do
that.  I don't want to have more code in gpg-agent than required for
managing private keys.

> Possibly, GnuTLS can also tell the agent for which CAs it should
> bother to list private keys for, since the TLS server typically tell
> you this.

That is a problem as gpg-agent does not now anything aout PKIs.  In
fact one key might possible be used by several certificates, OpenPGP
keys and ssh keys.  For smart cards it is really useful to have one
smart card for X.509 and OpenPGP.

> Maybe gpg-agent could act as a proxy for gpgsm --server too?  Although
> I might not need to talk with gpgsm after all...

You don't need gpgsm.  GNUTLS has its own certificate management.  Or
do you want to use gpgsm for this?  I have considered several times to
write a certificate validation library but it is quite hard to do this
in a generic way.  You would need to much callbacks and such whcih
makes an API too complicated.

>> Check out gnupg/sm/call-agent.c on how decryption and signing can be
>> delegated to gpg-agent/scdaemon.
>
> Ok, I see.  Why doesn't it use the scdaemon-proxy in the agent?  Is
> the scdaemon-proxy idea in the agent a new invention?

That is because gpgsm works only with registred smart cards (gpgsm
-learn).  gpg-agent then knows when to divert operations to a smart
card.  The idea here is that gpg-agent can ask the user to insert a
specific smart card.  However, a shortcut for the currently inserted
smart card might make sense. 



Shalom-Salam,

   Werner




More information about the Gnupg-devel mailing list