exclusive vs. shared smart card access

NIIBE Yutaka gniibe at fsij.org
Tue Sep 1 03:29:16 CEST 2015

Hello, Jan and all,

On 09/01/2015 01:20 AM, Jacob Appelbaum wrote:
> I feel like I must not understand something or something is very wrong
> with the best practices.

Jan, I have addressed this issue multiple times since 2010.  We have
disagreement or we pushed different efforts.  I think you sought
PKCS#11, PC/SC, and opensc, while I have focused on OpenPGPcard and

While I understand it enable closing some bug reports, I don't think
shared access to smartcard is a practice.

Let me explain current situation and my position.

I think that access to smartcard/token should be controlled by a
single application.  In case of OpenPGPcard (and compatibles), it's
GnuPG scdaemon.

I know there are some utilities accessing smartcard/token.  PIV
utility of Yubikey, or firmware upgrade utility of Gnuk comes into my

For use of those utilities, GnuPG scdaemon should be killed
beforehand.  It would make sense that such a utility even had a
feature killing GnuPG scdaemon beforehand (if user wants to do so).

There are other kinds of tools like Poldi and Scute.  It communicates
through GnuPG scdaemon.  This is another solution.

I think that this is the practice.  I mean, there is a single
responsible application (= GnuPG scdaemon) and there are two ways for

  (a) stop the single application beforehand
  (b) communicate to the single application

Please note that we are open to implement some other features in GnuPG
scdaemon for (b).  IIUC, Werner addressed this to Simon two weeks ago,
wrt PIV utility.

More information about the Gnupg-devel mailing list