OpenPGP card feature request: as many encryption-capable keys as technically possible

Peter Lebbing peter at
Fri Aug 15 02:18:26 CEST 2014


I was thinking about subkey expiration when using OpenPGP smartcards.

Expiring a data signing subkey is no problem.

Expiring a primary key has no bearing to the issue I'm raising. It has
rather large implications, though.

The problem is expiring a encryption-capable subkey on an OpenPGP
smartcard, replacing it with a new one.

Currently, the OpenPGP smartcard only allows a single
en-/decryption-capable key.

Suppose after some time I decide an old key has seen it's useful
lifetime. I'd like to create a new encryption-capable key. However, I
definitely need to keep the old key, or I won't be able to see anything
encrypted to me in the past.

The current OpenPGP smart card restricts me to a single key for
encryption, a single key for signatures, and a single key for
authentication. If it were possible to tell the card, on uploading the
key, what that key's usage will be, I would be able to have a separate
smartcard that decrypted the 3 OpenPGP subkeys I used for encryption
previously. This instead of being forced to use 3 separate smartcards. I
get the impression this is a relatively small change to the firmware of
the smartcard, but a larger change to the software running on the PC.

The current roles of RSA keys were clearly chosen to cover the 3 cases
of signing, encryption and authentication. Maybe the card still has
enough room for a fourth key, once the purpose isn't fixed anymore? Or
even a fifth...



I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <>

More information about the Gnupg-users mailing list