Bridging the airgap
Neal H. Walfield
neal at walfield.org
Mon Aug 7 13:28:54 CEST 2017
On Mon, 07 Aug 2017 13:18:17 +0200,
Dirk-Willem van Gulik wrote:
> > On 7 Aug 2017, at 12:13, Neal H. Walfield <neal at walfield.org> wrote:
> > On Sun, 06 Aug 2017 19:53:14 +0200,
> > Dirk-Willem van Gulik wrote:
> >> As per the IRC discussion - below is a slightly hacked testscript of
> >> ours that allows you to abuse a suitable chipcart or yubico PGP card
> >> with x509 functionality to `bridge' an airgap during generation
> >> where one *also* wants the public key to be transported of the
> >> secure initial generation (or renewal of the expiry of the subkeys)
> >> by means of a smartcart itself (which you sort of axiomatically need
> >> to be able to trust they airgap).
> > This is a neat idea. Did you try using OpenPGP private DOs (data
> > objects) to store this data?
> Yes !
> > See 18.104.22.168 of the OpenPGP card spec:
> > https://gnupg.org/ftp/specs/OpenPGP-smart-card-application-3.3.pdf
> > I'd be interested to hear what cards have enough space for this.
> We’ve never used/seen cards newer than 2.1 (or have any which respond to DO 7F66); on those 2.1 applets ― I think that 101 et.al. is just shy of 255 bytes.
> We’ve been using mixed x509 and openpgp cards/usb-sticks.
> Any suggestions for pure open-pgp cards that are newer ?
Sorry. It sounds like you know a lot more about OpenPGP smartcards
than I do. (I've only ever glanced at the spec, but I've never tried
to do anything advanced with the cards.) But, I think it would be
great if the smartcards at least had enough information to recovery
the public key. I've added Achim Pietig in cc. Perhaps he can
comment on whether it is possible to add it to the spec.
More information about the Gnupg-devel