[PATCH] gpg: enable key-to-card upload for cert-only keys

NIIBE Yutaka gniibe at fsij.org
Mon Feb 3 09:00:11 CET 2014

On 2014-02-01 at 15:27 +0100, Dominik Heidler wrote:
> Am 01.02.2014 15:14, schrieb NIIBE Yutaka:
> > Currently, OpenPGP card specification doesn't fit the use case of (*)
> > very well, if a person wants to import both of primary key (for
> > signing only) and signing only subkey.  It defines only a single key,
> > which is used to both purposes.
> > 
> > It would be good if OpenPGP card specification allows an optional
> > signing key, so that it could support the use case of (*).  Then,
> > your patch will fully make sense.
> Yes - that's the only downside: I need the C-Key smartcard to sign other
> users keys. But I'm not signing that often, so that's ok for me.

Let me explain my understanding of OpenPGP card.

It does not support all features of OpenPGP, but common ones.

An OpenPGP card offers three keys.  One is for primary key of OpenPGP,
with a capability of signing other keys (certify, C-flag) and a
capability of making signatures (S-flag).  Second is for subkey for
decryption (E-flag), and third is for subkey for authentication
(A-flag).  Features are subset of what OpenPGP can do.

As GnuPG's default action of --gen-key is generating a primary key
with S+C and a subkey with E, I think that we can say that OpenPGP
card supports most common case.

The particular use case of yours would be beyond the scope of OpenPGP
card specification, possibly.  Even with current GnuPG, you have a
workaround pretending as if your key had a capability of making
signatures when you import your key to the card.

			*	*	*

I rather would like to support the idea of adding signing only key to
OpenPGP card (and/or its specification), as an optional feature.

More information about the Gnupg-devel mailing list