card_status - change-request to update allways
myonium at gmail.com
Thu Sep 21 07:55:49 CEST 2017
> On Sep 20, 2017, at 07:25, NIIBE Yutaka <gniibe at fsij.org> wrote:
> Myonium <myonium at gmail.com> wrote:
>> Could you please advise how to get the change below pushed in the next release?
> Sorry, it won't get in. Yes, I understand your use case; You want to
> replace private key stub in .gnupg/private-keys-v1.d.
Yes correct. On "—card-status“ I want to update the stubs to whatever there is on the card … I want the use the keys on the attached smart card if possible.
> For this use case, please remove your .gnupg/private-keys-v1.d/<KEYGRIP>.key
> manually, and do "gpg --card-status“.
Yes that’s what I keep on doing all the time …
> The change you proposed has an impact to existing behavior, that is, it
> always modifies the privat key file when 'gpg --card-status' is invoked.
You are right. However that is exactly what I would expect on a „—card-status“. I cannot think of any situation where this could result in a unwanted conflict. Would you prefer modifying stubs only in case the card changed? Or are you questioning replacing a key stub at all. To my understanding stubs are -in case of smart cards- only pointers indicating where to find the private key ….
updating these pointers on a „—card-status“ seems to be a reasonable thing to me.
> Currently, GnuPG doesn't assume same key can be mutiple cards with
> possiblly different serial number.
This is definitely true for keys generated on the card. Fine for authentication keys. However when it comes to encryption this might not be a wise decision.
A card might brake and who wants to loose all encrypted documents if a card breaks? To my understanding encryption keys need "a offline backup“: I case a card beaks the encryption key can be pushed on the replacement card. If you use different form factors („Smart cards, Yubikey USB dongles, NFC enabled cards for mobiles) having the same keys on multiple cards makes totally sense ...
If you think „modifying stubs only in case the card changed“ would be an acceptable solution I would be volunteer to work on it ...
More information about the Gnupg-devel