OpenPGP card specification 2.0 improvement?

Sébastien Lorquet squalyl at
Wed May 18 15:04:58 CEST 2011

ISO7816-4-2005 allows a CHANGE REFERENCE DATA without the old data, by
setting P1=01h

The spec could use this version, and require the previous verification of
the pin by VERIFY PIN.

With the current spec, the actual length of the PIN shall be available
somewhere. The current data only indicates the maximum length, thus implying
the PIN length is variable, but CHANGE REFERENCE DATA does not allow this.

Speaking of spec updates, I have more ideas, mainly the AID shall not
contain the serial number and the card shall use files instead of data
objects. Is a v3 spec planned for some day?


Sebastien Lorquet

On Wed, May 18, 2011 at 2:54 PM, Werner Koch <wk at> wrote:

> On Tue, 17 May 2011 02:31, gniibe at said:
> > If a card supports variable length of PIN, it would be better to have
> > format to specify length of input on host side.
> The standard does not allow for this.  Hwoever there is a simple
> workaround:  Do a VERIFY for the old PIN first to see whether it is
> correct and only then assemble the CHANGEREFERENCEDATA.
> Shalom-Salam,
>   Werner
> --
> Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
> _______________________________________________
> Gnupg-devel mailing list
> Gnupg-devel at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20110518/d57329d9/attachment.htm>

More information about the Gnupg-devel mailing list