Trezor - Could this be the model for a PGP crypto device?
gniibe at fsij.org
Wed Mar 11 06:04:50 CET 2015
On 03/10/2015 09:18 PM, Jonathan Schleifer wrote:
> Does this really need to be part of the specification? For example,
> the Gnuk could just delay signing / decryption / authentication
> until the button has been pressed and return an error if it doesn't
> get pressed within a certain amount of time.
Yes, it is possible to implement "ack" button in a way you describe.
But, technically, it's not good for the underlying layer to impose
this kind of "snatch". It is better for Host PC to know the
Besides, when possible, I don't want a feature to be implemented only
for Gnuk. I don't want to differentiate, but to collaborate.
Well, I realized that my idea of yesterday was not good. According to
ISO 7816-4, no command is allowed before GET RESPONSE.
So, we could consider something like this:
Host PC OpenPGPcard
command: PSO =>
<= response: 0x9F<LENGTH>
command: VERIFY with 0x84 ==>
(or something different than 0x81, 0x82, or 0x83)
<= response: 0x9000 OK
command: GET DATA on some pseudo Data Object ==>
<= response: <DATA> of result of PSO
It seems for me that we can use 0x9F<LENGTH> to let host PC the length
of data. (while 0x61<LENGTH> expects succeeding GET RESPONSE.)
This can be done with smartcard + cardreader with pinpad.
More information about the Gnupg-users