gpg --card-status always create proxy private keys

Peter Lebbing peter at digitalbrains.com
Tue Feb 14 20:11:03 CET 2017


Hello Alon,

On 13/02/17 22:49, Alon Bar-Lev wrote:
> Similar option was possible in 2.0 using addcardkey.

If you can wrest this behaviour from "addcardkey" you're a better man than I
:-). If I use addcardkey from 2.0, it does not give me the option to use an
existing smartcard key, it will instead warn me that it will overwrite the
existing key. Are you sure you can use an existing key that way?

> Also unfortunately, rpm does not support signing using subkeys.

My first thought is: then rpm should be updated, OpenPGP subkeys are a
well-established technology. But I suppose you need a developer that cares
enough first, it's cheap to yell "then it should be updated!".

But since you can actually create a primary key that can do both certify and
sign, it's not a showstopper for using smartcards.

You can, right? I'm not 100% sure I ever tested using a primary key on smartcard
with *both* certify and sign, but I wouldn't expect it not to work since you
actually use the "Sign" slot on a smartcard to use a Certify-capable key.

> Maybe instead of "card-edit/generate" there should be "card-edit/use
> existing" or something?

Isn't that exactly the same as GnuPG 2.1's "edit-key/addkey/Use existing"? What
would be the difference? Well, okay for the latter you need to look up the
keygrip, but the functionality is there.

On 13/02/17 22:59, Alon Bar-Lev wrote:
> hmmm... maybe something like:
> gpg --genkey --keygrip XXXXXX
> so it will generate a primary key out of specific private key?

I'd actually expect it differently. Right now, in contrast with
"edit-key/addkey", GnuPG 2.1 offers the following:

> $ gpg2 --expert --full-gen-key 
> gpg (GnuPG) 2.1.16; Copyright (C) 2016 Free Software Foundation, Inc.
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.
> 
> Please select what kind of key you want:
>    (1) RSA and RSA (default)
>    (2) DSA and Elgamal
>    (3) DSA (sign only)
>    (4) RSA (sign only)
>    (7) DSA (set your own capabilities)
>    (8) RSA (set your own capabilities)
>    (9) ECC and ECC
>   (10) ECC (sign only)
>   (11) ECC (set your own capabilities)
> Your selection? 

I'd just like to see option 13 from "edit-key/addkey", so it would be like this
(this is a mock-up, not actual output!):

> $ gpg2 --expert --full-gen-key 
> gpg (GnuPG) 2.1.16; Copyright (C) 2016 Free Software Foundation, Inc.
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.
> 
> Please select what kind of key you want:
>    (1) RSA and RSA (default)
>    (2) DSA and Elgamal
>    (3) DSA (sign only)
>    (4) RSA (sign only)
>    (7) DSA (set your own capabilities)
>    (8) RSA (set your own capabilities)
>    (9) ECC and ECC
>   (10) ECC (sign only)
>   (11) ECC (set your own capabilities)
>   (13) Existing key
> Your selection? 

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170214/d4ab578b/attachment.sig>


More information about the Gnupg-devel mailing list