[Gpg4win-devel] GnuPG with internal CCID driver

Thu Jul 26 13:19:35 CEST 2018

For MacOS, if 'disable-ccid' in 'scdaemon.conf' works - it would address my concerns. 

I do not know the consequences of shipping CCID driver on Windows. Since in my world people must use PIV tokens on Windows as well, the new software such as GnuPG shouldn't interfere with those. If it is ensured, either by disabling CCID (like above), or by some other means - then again, all is well.

I'd like to mention my other wish - that 'enable-shared' parameter is added to scdaemon.conf to allow sharing of the token between GnuPG, OpenSC, and tokend (platforms I'm concerned with here are MacOS and Linux, though I can envision similar situation on Windows if a user had, e.g., a Yubikey NEO or such, and wanted to use both PIV and OpenPGP applets). I realize the security implications, and think that the trade-off is worth it.

Thanks!

Sent from my test iPhone

> On Jul 26, 2018, at 04:47, Jiri Kerestes <jiri.kerestes at trustica.cz> wrote:
> 
> I didn't do any thorough testing on MacOS yet, but AFAIK you can always
> disable internal CCID driver by adding line 'disable-ccid' to your
> scdaemon.conf. Moreover, this change should affect only Windows builds
> and devices not using standard Windows USB CCID driver.
> 
> Best regards
> 
> Jiri
> 
>> On 26.7.2018 05:27, Uri Blumenthal wrote:
>> Considering that there are popular cards on the market that contain multiple applets - OpenPGP and PIV in particular - shipping GnuPG with its own (internal) CCID driver world likely result in a disaster on MacOS. MacOS requires tokend (often provided by OpenSC) for most apps, and native pivtoken for Safari and Apple Mail (and for some system apps).
>> 
>> This is compounded by the nasty habit of GnuPG to open the token in exclusive mode (regardless of whether there are other applets on this token, or other apps that may need access - e.g., it wouldn't be unheard of to use a web browser and email client at the same time - and both need to access the token).
>> 
>> GnuPG is an important app - but, believe or not, there are other equally important apps that GnuPG must coexist with (for example, in my works a lot of email is S/MIME, and the vast majority of the protected web sites require PIV certs).
>> 
>> Sent from my test iPhone
>> 
>>> On Jul 25, 2018, at 22:41, NIIBE Yutaka <gniibe at fsij.org> wrote:
>>> 
>>> Jiri Kerestes <jiri.kerestes at trustica.cz> wrote:
>>>> I've done some hackery and I have a working w32 GnuPG build with libusb
>>>> support.
>>> 
>>> Great.
>>> 
>>>> I'm not very familiar with Gpg4win development history, so before I
>>>> dive into autotools to do this properly: is there any reason why
>>>> Gpg4Win shouldn't be shipped with libusb and internal CCID driver?
>>> 
>>> No good technical reason, just historical, I suppose.
>>> 
>>> In the past, I suggested using the internal CCID driver is better (also)
>>> for Windows and macOS, but no one has tried so far.
>>> 
>>> With the internal CCID driver, multiple cardreaders/tokens are
>>> supported.  So, it's good if we can do that on Windows.
>>> 
>>> If the configuration is not that complicated, I will be glad if we can
>>> put the internal CCID driver as a default for GPG4Win.
>>> 
>>> In my opinion, the only use case of scdaemon with PC/SC is that a person
>>> uses PC/SC for other purposes and cannot stop the service, or it
>>> requires some proprietary driver which works with PC/SC.
>>> 
>>> 
>>> Please note that I don't use Windows, at all.  So, my opinion would be
>>> irrelevant.  (All I do for Windows is cross-build of GnuPG for Windows.)
>>> -- 
>>> 
>>> _______________________________________________
>>> Gnupg-devel mailing list
>>> Gnupg-devel at gnupg.org
>>> http://lists.gnupg.org/mailman/listinfo/gnupg-devel
> 