Issues with primary key & subkeys on different smartcards

Peter Lebbing peter at digitalbrains.com
Sat Sep 7 16:11:57 CEST 2013


(from the first mail)
> I was able to successfully create a private key with stubs pointing to
> both cards as follows

Yes, that is how I ended up doing it back when I started using the same setup
years ago (two smartcards, certifying key on one, signing on another).

Only shortly ago, I got the impression from someone's mail to gnupg-users that
GnuPG these days did it as we both expected it would do: upon inserting the
second smartcard, replace the dummy S2K stubs with divert-to-card S2K's for the
second card.

Apparently it does not...

Once GnuPG has a secret key, I think it won't update it with new data. It didn't
use to AFAIK, and apparently still doesn't. Somebody else recently tried
exporting and importing a new subkey, and the import didn't work either. I just
thought of that thread and replied to it as well.

> As my programming abilities are not sufficient to make a patch to
> change this behavior, I'd be happy to offer a financial contribution
> if someone with more skill were to give it a shot.

I commend your spirit. Werner Koch does paid feature development for GnuPG as
well, although I am in no position to judge whether your financial contribution
can pay for the whole feature. I'm also willing to contribute, but don't hold
your breath over the amount of money ;). I've offered payment for a feature
before, can't exactly remember what right now, but it was worth to me more than
this particular one.

Come to think of it, I've never seen any mention of people paying for features
and/or features made possible by paying users. Perhaps an interesting subthread
to spawn, if Werner is comfortable discussing it?

Anyway, back to the topic: maybe there are situations where you don't want to
update a secret key with new subkeys or new "key material" (let's consider a
divert-to-card S2K as key material, and a dummy S2K as absence of it). But an
option "--import-options update-secret-key" or something seems like a useful
thing, and gives people the choice without resorting to gpgsplitting.

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>



More information about the Gnupg-users mailing list