Best practice for periodic key change?
jerome at jeromebaum.com
Tue May 10 06:32:40 CEST 2011
On Tue, May 10, 2011 at 06:18, Daniel Kahn Gillmor <dkg at fifthhorseman.net>wrote:
> On 05/10/2011 12:01 AM, Jerome Baum wrote:
> > c) Program the smart-card so it doesn't sign sub-keys? I'm not familiar
> > the internals of smart-card implementations but the OpenPGP sub-key
> > signatures are of a different type than the data signatures. The
> > can probably recognize if it's inadvertently signing a sub-key.
> I doubt it -- the bytestring signed during OpenPGP key+userid
> certifications has a different prefix than the bytestring signed during
> a data signature.
> But i think the data signed by a hardware implementation is a digest of
> the bytestring, not the bytestring itself. I don't think a smartcard
> would be able to tell the prefix of the underlying bytestring from the
> digest it receives as a signature request.
Is that an implementation problem? i.e. is it possible to write an
implementation that does distinguish, or is it technically impossible w/out
processing the entire data on-card?
email jerome at jeromebaum.com
PGP: A0E4 B2D4 94E6 20EE 85BA E45B 63E4 2BD8 C58C 753A
PGP: 2C23 EBFF DF1A 840D 2351 F5F5 F25B A03F 2152 36DA
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Gnupg-users