exclusive vs. shared smart card access

[Jan Suhr]

Dear Jacob,

Am 29.08.2015 15:12, schrieb Jacob Appelbaum:
> Dear Jan,
> 
> On 8/28/15, Jan Suhr <jan at nitrokey.com> wrote:
>> Hi Niibe and who it may concern!
>> This issue has been discussed previously but since Werner seems to be
>> positive about it now, I will give it another try:
>> 
>> GnuPG uses an exclusive mode when accessing OpenPGP Cards. This
>> prevents, or at least makes it complicated, to use OpenPGP Cards with
>> GPG and other applications on the same system. In fact it is a 
>> repeating
>> problem Nitrokey users are reporting. To my knowledge most other
>> software (e.g. OpenSC, PKCS#11 drivers) use shared access rather than
>> exclusive access. It seems to be best practice.
>> 
>> We tested GPG in shared mode for several weeks and couldn't find any
>> issue. Also the performance seems to be identical. Hence I would like 
>> to
>> request changing smart card access to shared mode.
>> 
>> The necessary modification is simple: Change the third parameter of
>> pcsc_connect() from PCSC_SHARE_EXCLUSIVE to PCSC_SHARE_SHARED at:
>>     GPG 1.4: Once in g10/apdu.c
>>     GPG 2.0: Once in scd/apdu.c and twice in scd/pcsc-wrapper.c
>>     GPG 2.1: Once in scd/apdu.c
> 
> What are the security considerations of this change? Would this allow
> one application to auth to the card and another application to perform
> operations, for example? If not, has anyone confirmed that?

This would probably be possible. However, a malicious application would 
be able to phish the PIN by presenting a fake PIN entry dialog and do 
all sorts of bad things with the smart card, nomatter if shared or 
exclusive mode. Such applications shouldn't get access to the smart card 
in the first place. I think we will end up with better security for the 
user by reducing usability obstacles and making smart card usage a 
pleasant user experience.

Again, shared access is best practice for all other smart card 
frameworks I'm aware of.

Kind regards,
Jan