Best practice for periodic key change?
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Tue May 10 06:18:15 CEST 2011
On 05/10/2011 12:01 AM, Jerome Baum wrote:
> c) Program the smart-card so it doesn't sign sub-keys? I'm not familiar with
> the internals of smart-card implementations but the OpenPGP sub-key
> signatures are of a different type than the data signatures. The smart-card
> can probably recognize if it's inadvertently signing a sub-key.
I doubt it -- the bytestring signed during OpenPGP key+userid
certifications has a different prefix than the bytestring signed during
a data signature.
But i think the data signed by a hardware implementation is a digest of
the bytestring, not the bytestring itself. I don't think a smartcard
would be able to tell the prefix of the underlying bytestring from the
digest it receives as a signature request.
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1030 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20110510/71f32efa/attachment.pgp>
More information about the Gnupg-users
mailing list