PGP and Smartcards?

Werner Koch wk at gnupg.org
Fri Jul 22 10:12:37 CEST 2005 

On Thu, 21 Jul 2005 12:25:49 +0200, Felix E Klee said:

> * Can I use GnuPG for signing and decryption with a smart card and 2048
>   bit RSA keys?  What limitations do I have to expect, if any?

Cards able to to generate and use 2k RSA keys are not easily
available.  This will change in a year or so.  State of the art is
still 1k RSA.

> * Personally, I currently favor the Axalto Cryptoflex 32k.  But is there
>   any card that you recommend? (I know that there's the OpenPGP card but
>   it only supports keys up to 1024 bits - not an option.)

gpg only supports the OpenPGP card specification.  You are free to
implement it on your card.

> * Why was OpenSC removed with development version 1.9.17 of GnuPG?  From
>   a software developer's point of view it just doesn't make sense to
>   ditch an existing and supposedly well working library that provides a

* OpenSC is a huge and complex library with an ever changing API and
  often hidden ABI changes. It just makes too much trouble.  

* It requires your application to use pthreads with conflicts with
  the use of another threading library; GNU Pth in our case.

* We only need to _read_ PKCS#15 structures and not to _create_ them.
  This it is actually pretty easy to implement.  PKCS#15 has
  intentionally been designed to ease things.

>   standardized interface (PKCS#11) and whose license (LGPL) is compliant
>   with the license of the GnuPG.

Not really: You need to build OpenSC without OpenSSL support.
Otherwise you put additional restrictions on any GPL program linking
to OpenSC - which is not compatible to the GPL.  Frankly, I don't
understand why the OpenSC folks still do this.  I complained about
this several times in the last years and it is one of the reasons why
I stopped working on OpenSC (I wrote the the support for TCOS and
MICARDO).

> * If not GnuPG, what free software alternatives are there for doing PGP
>   signing and decryption with a smart card?

I don't know.  For me the smartcard support works pretty well and I
know quite some people who are using it day by day for email and to
mount encrypted file systems.


Salam-Shalom,

   Werner

More information about the Gnupg-users mailing list