PUBKEY_USAGE_AUTH

Werner Koch wk at gnupg.org
Tue Aug 13 18:03:44 CEST 2013


On Wed,  3 Jul 2013 04:10, gniibe at fsij.org said:

> With Gnuk Token, I have been using a subkey for authentication, that
> is, a subkey with PUBKEY_USAGE_AUTH flag.  But I only use it through
> gpg-agent for SSH-agent service and Scute for X.509 client certificate

Yes that was the idea.

> Does it make sense to add an option like --auth to enable using
> authkey for --sign or --clearsign?  Or some flag to enable
> gpgme_op_sign using authkey?

OpenPGP only says

  0x20 - This key may be used for authentication.

Thus, if an OpenPGP signature is part of an authentication system, it
makes sense to allow the use of such a key.

Anyone with ideas for the best way to tell gpg about this.  Shall gpg
only select authkeys then?  In terms of GPGME integration an option to
switch to (or allow the use of) authkeys would be the easiest way.

> I know that we can use gpg-connect-agent and PKSIGN.  I want somewhat
> public API for authentication subkey.

You can also use GPGME for this:

  /* Send the Assuan COMMAND and return results via the callbacks.
     Asynchronous variant. */
  gpgme_error_t gpgme_op_assuan_transact_ext (gpgme_ctx_t ctx, .....

This is for example used by GPA's smartcard interface.


Shalom-Salam,

   Werner


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.




More information about the Gnupg-devel mailing list