OpenPGP card feature request: as many encryption-capable keys as technically possible
Peter Lebbing
peter at digitalbrains.com
Fri Aug 15 02:18:26 CEST 2014
Hello,
I was thinking about subkey expiration when using OpenPGP smartcards.
Expiring a data signing subkey is no problem.
Expiring a primary key has no bearing to the issue I'm raising. It has
rather large implications, though.
The problem is expiring a encryption-capable subkey on an OpenPGP
smartcard, replacing it with a new one.
Currently, the OpenPGP smartcard only allows a single
en-/decryption-capable key.
Suppose after some time I decide an old key has seen it's useful
lifetime. I'd like to create a new encryption-capable key. However, I
definitely need to keep the old key, or I won't be able to see anything
encrypted to me in the past.
The current OpenPGP smart card restricts me to a single key for
encryption, a single key for signatures, and a single key for
authentication. If it were possible to tell the card, on uploading the
key, what that key's usage will be, I would be able to have a separate
smartcard that decrypted the 3 OpenPGP subkeys I used for encryption
previously. This instead of being forced to use 3 separate smartcards. I
get the impression this is a relatively small change to the firmware of
the smartcard, but a larger change to the software running on the PC.
The current roles of RSA keys were clearly chosen to cover the 3 cases
of signing, encryption and authentication. Maybe the card still has
enough room for a fourth key, once the purpose isn't fixed anymore? Or
even a fifth...
Cheers,
Peter.
--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
More information about the Gnupg-users
mailing list