SmartCard as subkey?
Simon Richter
richtesi at informatik.tu-muenchen.de
Mon Nov 8 15:37:23 CET 2004
Hi,
> > I don't have a smartcard reader in the boxen I consider trustworthy enough
> > to hold my master key. Is there a way I can generate a key in the uni, get
> You don't need to trust the smartcard reader; the reader can't get any
> sensitive information out of the card and snooping the PIN is usually
> of minor interest.
Hrm, if I understood the Sun smart card framework correctly, I can write a
Java class and give that (as root) to the smartcard handling daemon which will
then allow me to enter my PIN securely (takes over display and keyboard,
blinks "Secure PIN entry" LED, sends the PIN to the card and returns. Is
something like this supported in GPG already?
Also, would the following property names be acceptable:
version Version (ro)
manufacturer Manufacturer (ro)
serial Serial number (ro)
name Name of cardholder
language Language prefs
sex Sex
url URL of public key
login Login data
pin1 PIN 1 (wo)
pin2 PIN 2 (wo)
pin3 PIN 3 (wo)
pin1len PIN 1 Maximum length (ro)
pin2len PIN 2 Maximum length (ro)
pin3len PIN 3 Maximum length (ro)
pin1cnt PIN 1 Retry counter (ro)
pin2cnt PIN 2 Retry counter (ro)
pin3cnt PIN 3 Retry counter (ro)
sigcount Signature counter (ro)
sigfingerprint Signature key fingerprint (ro)
encfingerprint Encryption key fingerprint (ro)
authfingerprint Authentication key fingerprint (ro)
> However, to create just subkey you need to have the primary key
> available and that should only be done on a trusted machine. If you
> have such a box, just enter the usual key edit menu and use
> "addcardkey".
Done that now, but it was a major hassle to get a useful "secret" key
(stub master key, redirect-to-card subkeys) to the machines in the uni as
I needed to strip the old, "real" subkeys off.
Maybe it would be good to add a --export-secret-stubs command that exports
only master key stubs and all valid subkeys that do not contain private
key info?
Also, the "General key info" now shows the keyid of the first subkey. Is
there a way I can make it show the master key?
And, last but not least, the "login" field is specified as "proprietary".
Are there already any uses for this (I could, for example, add login
functionality into the Sun OCF driver, but would not really like to
conflict with existing implementations here)?
Simon (who signs this message with the card now)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
Url : /pipermail/attachments/20041108/07cbe3a3/attachment.bin
More information about the Gnupg-users
mailing list