Peaceful coexistence of GnuPG and other smart card software
martin at martinpaljak.net
Wed Aug 10 18:24:35 CEST 2011
First of all, I'm really excited about GnuPG 2.0.18 release. Right now CryptoStick v1.2 is the most exciting commonly available smart card/token I have, as it supports 4096 bit RSA keys. This is sweet.
It is really exciting also for another reason: it is the only hardware device that actually works with GnuPG, the reason being that using commodity cryptographic hardware through PKCS#11 in GnuPG is virtually impossible (gnupg-pkcs11-scd is not really user-friendly), as recently discussed on this list as well. While I support the cause of the anonymous poster and would welcome the support for PKCS#11 in GnuPG (heck, even OpenSSH folks finally saw the light) I'd like to draw attention to another problem: using an OpenPGP-compatible tokens together with gpg2 and other software that can support the token interface, like OpenSC.
I have collected a few issues (and workarounds) about using gpg2 with CryptoStick on Mac OS X (GPGTools) and (Debian)Linux to OpenSC wiki .
I've tried looking around in scd/ folder to get an understanding on how things work to provide a patch that would fix some of the problems, namely:
- removing exclusive mode and relying on transactions(SCardBeginTransaction/SCardEndTransaction) for smart card access (at least making it *easily* configurable)
- support for multiple readers, where the OpenPGP card/token is not the first reader
- maybe some better error messages (though I doubt I can/want bite through the scdaemon/assuan/gpg-agent microsystems)
Would such changes be of interest and be included with GnuPG?
More information about the Gnupg-devel