exclusive vs. shared smart card access
Werner Koch
wk at gnupg.org
Wed Sep 2 13:23:51 CEST 2015
On Tue, 1 Sep 2015 08:46, andreas.schwier.ml at cardcontact.de said:
> It's OK to claim exclusive access to a smart card during a session, but
> the software must release access if it's no longer needed.
GnuPG requires the card all the time.
1. It is not acceptable for a user to wait several seconds for the
decryption of each mail or an ssh authentication.
2. Scdaemon caches data read from the card the first time the
card is accessed. This greatly helps with 1.
3. Without exclusive access to the card we have no guarantee that the
cached data is fresh. Another application may have created a new key
or changed DOs.
4. Without exclusive access other users get access to card and the keys.
This is a no-go. To avoid this we would need to do a power-off after
each operation.
> And the one application controlling access to the card is the PC/SC
> daemon and *not* scdaemon. scdaemon is *one* of the applications
> accessing the card via PC/SC.
Nope. PC/SC is a system wide service but we don't want other users to
access a card we have in use. Iff PC/SC would provide a
request/notification mechanism to tell that another clients needs access
to the card, we can add a feature to reset the card and disconnect.
Salam-Shalom,
Werner
More information about the Gnupg-devel
mailing list