[PATCH] gpg: enable key-to-card upload for cert-only keys

NIIBE Yutaka gniibe at fsij.org
Sat Feb 1 15:14:27 CET 2014

Thank you for your report also sending to me.  It required some time
for me to understand the context (I misunderstood as it were bug

On 2014-01-23 at 11:34 +0100, Dominik Heidler wrote:
> From: Dominik Heidler <dominik at heidler.eu>
> * g10/card-util.c (card_store_subkey): allow PUBKEY_USAGE_CERT
> GnuPG-bug-id: 1548
> Signed-off-by: Dominik Heidler <dominik at heidler.eu>

Let me rephrase.

I think that you have a primary key with C-flag only and want to
import that key to smartcard.  I guess that you have a subkey for
signing only.  Or you are considering such a use case.  --- (*)

I could understand this.  Life cycle would be different between
primary key and signing only key.  I know some Debian developers who
use signing only subkey.

Currently, OpenPGP card specification doesn't fit the use case of (*)
very well, if a person wants to import both of primary key (for
signing only) and signing only subkey.  It defines only a single key,
which is used to both purposes.

It would be good if OpenPGP card specification allows an optional
signing key, so that it could support the use case of (*).  Then,
your patch will fully make sense.

Do you claim the use case above?  Or, is your patch just a

In my opinion, we need to discuss enhancement of OpenPGP card
specification at first, if the use case is really common or its
support is needed.

More information about the Gnupg-devel mailing list