SmartCard as subkey?

Simon Richter richtesi at informatik.tu-muenchen.de
Mon Nov 8 15:37:23 CET 2004


Hi,

> > I don't have a smartcard reader in the boxen I consider trustworthy enough
> > to hold my master key. Is there a way I can generate a key in the uni, get

> You don't need to trust the smartcard reader; the reader can't get any
> sensitive information out of the card and snooping the PIN is usually
> of minor interest.

Hrm, if I understood the Sun smart card framework correctly, I can write a
Java class and give that (as root) to the smartcard handling daemon which will
then allow me to enter my PIN securely (takes over display and keyboard,
blinks "Secure PIN entry" LED, sends the PIN to the card and returns. Is
something like this supported in GPG already?

Also, would the following property names be acceptable:

version			Version (ro)
manufacturer		Manufacturer (ro)
serial			Serial number (ro)
name			Name of cardholder
language		Language prefs
sex			Sex
url			URL of public key
login			Login data
pin1			PIN 1 (wo)
pin2			PIN 2 (wo)
pin3			PIN 3 (wo)
pin1len			PIN 1 Maximum length (ro)
pin2len			PIN 2 Maximum length (ro)
pin3len			PIN 3 Maximum length (ro)
pin1cnt			PIN 1 Retry counter (ro)
pin2cnt			PIN 2 Retry counter (ro)
pin3cnt			PIN 3 Retry counter (ro)
sigcount		Signature counter (ro)
sigfingerprint		Signature key fingerprint (ro)
encfingerprint		Encryption key fingerprint (ro)
authfingerprint		Authentication key fingerprint (ro)

> However, to create just subkey you need to have the primary key
> available and that should only be done on a trusted machine.  If you
> have such a box, just enter the usual key edit menu and use
> "addcardkey".

Done that now, but it was a major hassle to get a useful "secret" key
(stub master key, redirect-to-card subkeys) to the machines in the uni as
I needed to strip the old, "real" subkeys off.

Maybe it would be good to add a --export-secret-stubs command that exports
only master key stubs and all valid subkeys that do not contain private
key info?

Also, the "General key info" now shows the keyid of the first subkey. Is
there a way I can make it show the master key?

And, last but not least, the "login" field is specified as "proprietary".
Are there already any uses for this (I could, for example, add login
functionality into the Sun OCF driver, but would not really like to
conflict with existing implementations here)?

   Simon (who signs this message with the card now)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
Url : /pipermail/attachments/20041108/07cbe3a3/attachment.bin


More information about the Gnupg-users mailing list