Read-only keyring and the keybox

[markus reichelt]

* Werner Koch <wk at gnupg.org> wrote:

> On Sun, 6 Dec 2009 22:00:40 +0100, markus reichelt wrote:
> > While you are at it, would it be possible to also address the
> > issue of using multiple smartcards?
> 
> What do you mean by that?  Support for several readers?

That would be nice too. But I think it's more important to be able to
use multiple smartcards per user - with the same reader. 

F.e. http://wiki.fsfe.org/Card_howtos/Card_with_subkeys_using_backups
states under "Known problems" that "[...] GPG will look for the first
key in the keyring to decrypt things." What a hassle to set up a
smartcard subsequently.

It would be nice to have some option like "--cardkey fingerprint" to
pass to gnupg in order to achieve that. I realize that a new format
like keybox is not really necessary to accomplish that, but while you
are brainstorming a major pillar of gnupg it's worth mentioning, in
my book.

Maybe it's even as simple as adapting gnupg's check for secret keys
present in the (primary) keyring to just look for a cardreader with
inserted card. Don't know, I haven't dived into the depths of the
source code.


Oh, why I'm advocating to use the fingerprint instead of the short
keyid above: I've come across a case where fetching a key via the
usual gpg --recv-keys 0xdeadbeef method yielded 2 matching keys (if
you must know, check for 0x76B8337A on subkeys.pgp.net).

Needless to say that the wrong key was used in operation (that could
have been attributed just as well to my setup) but people expect to
get a single key, not each key matching the shortid format. So, to
make a rather verbose story short: Please adapt documentation
accordingly.

-- 
left blank, right bald
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: </pipermail/attachments/20091208/28a8d32c/attachment.pgp>