***SPAM*** Re: [PATCH] gpg: enable key-to-card upload for cert-only keys

Dominik Heidler dominik at heidler.eu
Mon Feb 3 09:08:18 CET 2014



On 3. Februar 2014 09:00:11 MEZ, NIIBE Yutaka <gniibe at fsij.org> wrote:
>On 2014-02-01 at 15:27 +0100, Dominik Heidler wrote:
>> Am 01.02.2014 15:14, schrieb NIIBE Yutaka:
>> > Currently, OpenPGP card specification doesn't fit the use case of
>(*)
>> > very well, if a person wants to import both of primary key (for
>> > signing only) and signing only subkey.  It defines only a single
>key,
>> > which is used to both purposes.
>> > 
>> > It would be good if OpenPGP card specification allows an optional
>> > signing key, so that it could support the use case of (*).  Then,
>> > your patch will fully make sense.
>> 
>> Yes - that's the only downside: I need the C-Key smartcard to sign
>other
>> users keys. But I'm not signing that often, so that's ok for me.
>
>Let me explain my understanding of OpenPGP card.
>
>It does not support all features of OpenPGP, but common ones.
>
>An OpenPGP card offers three keys.  One is for primary key of OpenPGP,
>with a capability of signing other keys (certify, C-flag) and a
>capability of making signatures (S-flag).  Second is for subkey for
>decryption (E-flag), and third is for subkey for authentication
>(A-flag).  Features are subset of what OpenPGP can do.
>
>As GnuPG's default action of --gen-key is generating a primary key
>with S+C and a subkey with E, I think that we can say that OpenPGP
>card supports most common case.
>
>The particular use case of yours would be beyond the scope of OpenPGP
>card specification, possibly.  Even with current GnuPG, you have a
>workaround pretending as if your key had a capability of making
>signatures when you import your key to the card.
>
>			*	*	*
>
>I rather would like to support the idea of adding signing only key to
>OpenPGP card (and/or its specification), as an optional feature.


If I understand you correctly, you want to add a S-only slot to the card. That would only make sence, if the existing SC slot would then allow C-only keys.
So your idea is about having the following key slots on the card:
S1: C (or SC?)
S2: S
S3: E
S4: A



More information about the Gnupg-devel mailing list