Bridging the airgap
Dirk-Willem van Gulik
dirkx at webweaving.org
Mon Aug 7 13:18:17 CEST 2017
> On 7 Aug 2017, at 12:13, Neal H. Walfield <neal at walfield.org> wrote:
>
> On Sun, 06 Aug 2017 19:53:14 +0200,
> Dirk-Willem van Gulik wrote:
>> As per the IRC discussion - below is a slightly hacked testscript of
>> ours that allows you to abuse a suitable chipcart or yubico PGP card
>> with x509 functionality to `bridge' an airgap during generation
>> where one *also* wants the public key to be transported of the
>> secure initial generation (or renewal of the expiry of the subkeys)
>> by means of a smartcart itself (which you sort of axiomatically need
>> to be able to trust they airgap).
>
> This is a neat idea. Did you try using OpenPGP private DOs (data
> objects) to store this data?
Yes !
> See 4.4.3.1 of the OpenPGP card spec:
>
> https://gnupg.org/ftp/specs/OpenPGP-smart-card-application-3.3.pdf
>
> I'd be interested to hear what cards have enough space for this.
We’ve never used/seen cards newer than 2.1 (or have any which respond to DO 7F66); on those 2.1 applets — I think that 101 et.al. is just shy of 255 bytes.
We’ve been using mixed x509 and openpgp cards/usb-sticks.
Any suggestions for pure open-pgp cards that are newer ?
Dw.
More information about the Gnupg-devel
mailing list