OpenPGP card specification: Data Object of 0x7f21 ("CERT-3")

NIIBE Yutaka gniibe at
Wed Dec 21 04:24:14 CET 2011


This is my comment for OpenPGP card specification version 2.0, with
regard to Data Object 0x7f21, according to my experience of developing

In short, Data Object 0x7f21 ("CERT-3") is difficult to support.

If I understand correctly, this data object supposed to have X.509
certificate for authentication key "OPENPGP.3".

The size of this data object is big, from the viewpoint of smartcard.
When I created my certificate with, its length is 1328 byte
(for my RSA 2048-bit key for authentication).  I think that it can be

While other data objects are small enough (< 256 bytes), this data
object is exceptionally big.

Current of GnuPG for exended APDU level cannot handle such a big data
object.  This is true for internal ccid driver as well as for PC/SC

For ccid driver, it's ccid-driver.c:ccid_transceive_apdu_level, which
has smaller buffer.  For PC/SC backend it's
pcsc-wrapper.c:handle_transmit which has 1024-byte buffer.

I wonder to change ccid-driver.c and pcsc-wrapper.c just for the data
object 0x7f21.  So, I have investigated if there are some use case for
this data object.  I had thought that it were used by Scute and Poldi,
but I couldn't find any use case in the code.

In my opinion, it would be better to define EF (elementary file)
instead of DO for large data, so that it can be accessed by

More information about the Gnupg-devel mailing list