secure channel support via PACE (was: Add support for D-Trust Card 6.1/6.4)

Mario Haustein mario.haustein at hrz.tu-chemnitz.de
Thu Feb 12 17:39:59 CET 2026 

Am Samstag, 31. Januar 2026, 14:45:09 Mitteleuropäische Normalzeit schrieb 
Werner Koch:
> On Fri, 30 Jan 2026 16:31, Mario Haustein said:
> > PACE [1] on both interfaces. Are there plans to eventually support PACE in
> > scdaemon? It's not a problem for me if not, but maybe this kind of cards
> > will
> Support for secure channel is on the todo list for a very long time.  It
> would also be helpful for Yubikeys.  I am not sure, but isn't it the
> case that the German identity card also requires PACE?  In that case I
> should consider to an identity card in addition to my passport.

German identity cards require PACE as well. But they are a bit special. To 
access all features, the card terminal needs to authenticate against the card 
as well. As far as I understand you need a dedicated reader which contains the 
credentials in a HSM. But this is just my observation as a user. At least for 
me, it worked only with a "BSI TR-03119"-compliant smart card reader. But I am 
not an expert about german ID cards, as they are (currently) out of the scope 
of my work. Thus my statement may prove wrong.

The aforementioned readers are advantageous when implementing the secure 
channel. They are capable of handling PACE on its own. The secure channel 
terminates at the card reader and smart card communication can be handled as 
usual in software. One just need to send an APDU to the card reader at the 
beginning to establish the secure channel or alternatively to send a cached 
card access number (CAN) to the reader so the reads skips querying it from the 
card holder. The latter method should be preferred as it is very annoying to 
enter the CAN every time. There is now drawback in caching a CAN.

Kind regards
-- 
Mario Haustein
Facharbeitsgruppe Anwendungen
Universitätsrechenzentrum

Technische Universität Chemnitz
Straße der Nationen 62 | R. 1/B303 (neu: A11.303)
09111 Chemnitz
Germany

Tel:    +49 371 531-36606

mario.haustein at hrz.tu-chemnitz.de
www.tu-chemnitz.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3999 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20260212/9417bef6/attachment-0001.bin>

More information about the Gnupg-devel mailing list