Smartcard questions

Werner Koch wk at
Mon Jan 2 15:13:41 CET 2006

On Sun, 01 Jan 2006 12:57:27 -0700, Kurt Fitzner said:

> 1) Is it possible to erase one?  For example, if a set of three keys has
> been generated on the card, and if later that card is going to be used
> for one or two subkeys, can the unused keys on the card be erased?  It
> would be nice to return the card to an unused state for reuse.

It is on my todo list.  The way it will work is by storing a dummy key
on the card (which erases the old one) and to clear the fingerprint.

> 2) Is it possible to export only the smartcard private key stubs from a
> normal RSA key pair that has smartcard subkeys?  In other words, once I
> have made smartcard subkeys of a regular RSA key, and once they are on
> the card, how can I use the card on another PC without transporting the
> full master secret key?

If the key is missing a stub should be created automagically if you
run gpg --card-status on the other machine.

> 3) Is it possible to set the private DO 1 and DO 2 fields to anything?

    /* Note, that we do not announce this command yet. */
    { "privatedo", cmdPRIVATEDO, 0, NULL },

On the --card-edit prompt enter: 

  privatedo N

and you will be asked for the value or

  privatedo N < FILE

and the data will be taken from FILE - useful for binary data.  This
redirection works also with the login command.

> 4) Is the card serial number stored in the keyring?  Can GnuPG be
> configured to ask for the correct card when there is no card inserted,
> rather than just when the wrong card is inserted?

Yes, this should work when using the pinentry.  On Windows you need
check the status code yourself:

    CARDCTRL <what> [<serialno>]
        This is used to control smartcard operations.
        Defined values for WHAT are:
           1 = Request insertion of a card.  Serialnumber may be given
               to request a specific card.
           2 = Request removal of a card.
           3 = Card with serialnumber detected
           4 = No card available.
           5 = No card reader available

> 5) Related to 4, is it possible to use GnuPG to query for the serial
> number of the card associated with a key?  I would like to make GPGee
> able to ask for a card when one is needed, but don't know how to find
> out which card to prompt for.

See above.



More information about the Gnupg-users mailing list