1024-3072 bit OpenPGP cards

David Shaw dshaw at jabberwocky.com
Fri Jul 17 20:05:43 CEST 2009

On Jul 17, 2009, at 5:26 AM, Werner Koch wrote:

> 1) Keep it as it is.  This will work without surprises unless the user
>    once wrote different sized keys to the card.
> 2) Always ask for the key size and use as default the current size.
>    Show a warning notice if the user entered a different size.
> 3) Same as 2 but do this only with --expert.
> 4) Add a new command "keysize" to manually set the keysize for each
>    key.  Print a warning notice before key generation if the key sizes
>    of the card are not all the same and tell the user about the  
> keysize
>    command.
> 5) Other suggestions?

My feeling is #2 is the best answer.  I'd do it with the current size  
(whatever it is) of the signing key slot being used as the default for  
all three slots (it it reasonable to assume that if slot #1 can handle  
a particular size, then slots #2 and #3 can also handle it?)  Prompt  
for the key size, and if it is not the same as the default, then print  
out a message something like:

   You have requested a key size of %u.  Note that not all cards can  
handle all key sizes.
   GnuPG will attempt to create your key, but if the card rejects it,  
you may need to try a different key size.
   Please consult your card documentation for more information.

Then try and generate the key.  If it fails, the user has been  
prepared for that possibility.

This makes the user experience of generating a key on a card as close  
as possible to generating a key normally.


More information about the Gnupg-devel mailing list