PGP and Smartcards?

Felix E. Klee felix.klee at inka.de
Sun Jul 24 18:05:26 CEST 2005 

At Thu, 21 Jul 2005 13:09:40 +0200,
Zeljko Vrba wrote:
> > I'd like to do PGP with a Smartcard that contains my main private
> > key (I
>
> I have made a patch to support 3rd party smart-cards with GPG using
> PKCS#11 interface.
> 
> In the mean time I have abandoned the development, however another
> kind individual has picked up from where I have left. In a private
> communication he has said to make it work with Cryptoflex 32k and
> PKCS#11 drivers from OpenSC and from the MUSCLE project.

This does indeed look very interesting.  However, at the moment I don't
have a CryptoFlex 32k at hand and time doesn't permit me to play too
much with this smart card stuff.  For the time being, I may simply buy
an OpenPGP card with support for 1024 bit keys and use that for my day
to day use.  After all, 1024bit keys still seem to be quite secure.
There have been some rumors that say otherwise, but they seem to be
based on misunderstandings (at least that's what RSA says in a 2002
technical note [1]).

> We both believe that the most useful usage scenario is master key on
> the smart-card with subkeys on the disk, as usual.

Huh? AFAICS, in general it is more important to have the subkeys on a
smart card than the master key.  After all the master key can be stored
in a safe place at home (e.g. on a CD, though a smart card would be more
secure).  The subkeys are usually carried around and are, thus, easy
subject for thieves.  Also for a cracker it should usually be much
easier to gain access to an everyday-machine with Internet access than
it is to get access to a system primarily used for maintaining PGP keys
(such a system should not have network access and, for additional
security, it should be booted from a reasonably tamper proof device,
e.g. from a Knoppix CD off a recently bought computer journal).

> You can read more about the state of affairs about this (including the
> relevant links) on http://zwillow.blogspot.com/

I read about the licensing issue that you complain about in your blog.
Although, I say that combining incompatible licenses is a no-no, I would
appreciate it if GPG would incorporate an interface to PKCS#11 since
both issues are essentially unrelated.

[1] http://www.rsasecurity.com/rsalabs/node.asp?id=2007

-- 
Felix E. Klee

More information about the Gnupg-users mailing list