PGP and Smartcards?
wk at gnupg.org
Fri Jul 22 10:12:37 CEST 2005
On Thu, 21 Jul 2005 12:25:49 +0200, Felix E Klee said:
> * Can I use GnuPG for signing and decryption with a smart card and 2048
> bit RSA keys? What limitations do I have to expect, if any?
Cards able to to generate and use 2k RSA keys are not easily
available. This will change in a year or so. State of the art is
still 1k RSA.
> * Personally, I currently favor the Axalto Cryptoflex 32k. But is there
> any card that you recommend? (I know that there's the OpenPGP card but
> it only supports keys up to 1024 bits - not an option.)
gpg only supports the OpenPGP card specification. You are free to
implement it on your card.
> * Why was OpenSC removed with development version 1.9.17 of GnuPG? From
> a software developer's point of view it just doesn't make sense to
> ditch an existing and supposedly well working library that provides a
* OpenSC is a huge and complex library with an ever changing API and
often hidden ABI changes. It just makes too much trouble.
* It requires your application to use pthreads with conflicts with
the use of another threading library; GNU Pth in our case.
* We only need to _read_ PKCS#15 structures and not to _create_ them.
This it is actually pretty easy to implement. PKCS#15 has
intentionally been designed to ease things.
> standardized interface (PKCS#11) and whose license (LGPL) is compliant
> with the license of the GnuPG.
Not really: You need to build OpenSC without OpenSSL support.
Otherwise you put additional restrictions on any GPL program linking
to OpenSC - which is not compatible to the GPL. Frankly, I don't
understand why the OpenSC folks still do this. I complained about
this several times in the last years and it is one of the reasons why
I stopped working on OpenSC (I wrote the the support for TCOS and
> * If not GnuPG, what free software alternatives are there for doing PGP
> signing and decryption with a smart card?
I don't know. For me the smartcard support works pretty well and I
know quite some people who are using it day by day for email and to
mount encrypted file systems.
More information about the Gnupg-users