fsfe smartcard help

Hauke Laging mailinglisten at hauke-laging.de
Mon Jul 5 22:49:18 CEST 2010


Am Montag 05 Juli 2010 22:25:35 schrieb Remy van Elst:
> Dear Hauke,
> 
> Thanks for your fast reply. It worked really good. I;ve been searching the
> whole evening for this, but I could find it in the manpage.

I had the same problem a few weeks ago. I suggest to improve the man page. The 
explanation for card status could be changed from "Show the content of the 
smart card." to "Show the content of the smart card. If the public key is 
available but the secret key is not then the secret key is marked as available 
on the smart card (ssb> instread of ssb)."


> Two more questions, when I've imported my key via this way, and I leave the
> pc, no-one else will be able to use the keys without my smartcard and pin?
> (or passphrase)?

I am not sure about the PIN caching. If you take the smartcard out of the 
reader then your description is correct. But if you leave the smartcard in the 
reader it may be that the card can be used without entering the PIN again. 
AFAIK this can be prevented by a flag on the card for signatures but not for 
decryption and authentication.


> If I understand it correctly (which I probably don't, so please correct
>  me), my private key (which is removed from my pc but safely on a dvd
>  somewhere else) is not being used on the card. It uses the subkeys I've
>  generated via the fsfe site's tutorial.

I guess you mix up the categories "secret keys and private keys" with "main 
key and subkeys". Both the main key and all subkeys have both a secret and a 
public part. You probably have a main key which has the only capability to 
certify (sub)keys.


>  Those are on the card and cannot be accessed without my PIN.

Yes.


>  If I import the keys the way you say, first
>  import my .asc file and then a --card-edit (does gpg --card-edit + fetch
>  also works if you've put the URL to your http asc in there?) tells gpg on
>  the pc that my keys are on the card. It does not needs my passphrase, but
>  my pin. When I leave the PC, even if someone gets my secret keys they
>  won't be able to do anything with them because they do not have my card.
>  (what if people find out my passphrase, but only have the subkeys?).

Nobody can get the secret keys from the PC because they are not stored on the 
PC. The only information stored there is that the secret keys reside on a 
smartcard. And this information is not so valuable for an attacker.

The passphrase is usable with the encrypted secret keys only. Thus somebody 
with knowledge of your passphrase would have to get access to your key backup, 
too.

Somebody with access to the secret subkeys (however) can read your encrypted 
data, can login as you (in case you have an authentication key) and can sign 
data as you. Only the last action can be detected on a smartcard (by the 
signature counter).


Hauke
-- 
PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 555 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20100705/58cbd46f/attachment.pgp>


More information about the Gnupg-users mailing list