Peaceful coexistence of GnuPG and other smart card software

Martin Paljak martin at martinpaljak.net
Wed Aug 10 18:24:35 CEST 2011


Hello,

First of all, I'm really excited about GnuPG 2.0.18 release. Right now CryptoStick v1.2 is the most exciting commonly available smart card/token I have, as it supports 4096 bit RSA keys. This is sweet.

It is really exciting also for another reason: it is the only hardware device that actually works with GnuPG, the reason being that using commodity cryptographic hardware through PKCS#11 in GnuPG is virtually impossible (gnupg-pkcs11-scd is not really user-friendly), as recently discussed on this list as well. While I support the cause of the anonymous poster and would welcome the support for PKCS#11 in GnuPG (heck, even OpenSSH folks finally saw the light) I'd like to draw attention to another problem: using an OpenPGP-compatible tokens together with gpg2 and other software that can support the token interface, like OpenSC.

I have collected a few issues (and workarounds) about using gpg2 with CryptoStick on Mac OS X (GPGTools) and (Debian)Linux to OpenSC wiki  [1].

I've tried looking around in scd/ folder to get an understanding on how things work to provide a patch that would fix some of the problems, namely:
 - removing exclusive mode and relying on transactions(SCardBeginTransaction/SCardEndTransaction) for smart card access (at least making it *easily* configurable)
 - support for multiple readers, where the OpenPGP card/token is not the first reader
 - maybe some better error messages (though I doubt I can/want bite through the scdaemon/assuan/gpg-agent microsystems)

Would such changes be of interest and be included with GnuPG?

Best,
Martin

[1] http://www.opensc-project.org/opensc/wiki/OpenPGP#Tips
-- 
@MartinPaljak.net
+3725156495




More information about the Gnupg-devel mailing list