several GPG smartcards connected at the same time
NIIBE Yutaka
gniibe at fsij.org
Tue Aug 9 02:39:43 CEST 2016
On 08/08/2016 07:27 PM, Cornelius Kölbel wrote:
> I am wondering if it is possible to have several GnuPG Smartcards
> connected.
Currently, this configuration is not supported by scdaemon. I don't
know any portable technical solution (supporting GNU/Linux, Windows,
and MacOS X, etc.) to handle multiple card readers (and/or cards)
simultaneously by a single application.
Now, GnuPG 2.1 internal CCID driver has migrated to newer libusb. So,
I think that we can consider a solution by the internal CCID driver,
supporting multiple card readers (or card) simultaneously by a single
application. I don't know how a possible libusb solution is portable,
though.
> Let's assume I have several smartcards,
> one has a PGP key of identy1 at example.com, the other of
> identity2 at example.com.
In fact, I am using multiple tokens daily for gniibe at fsij.org; ed25519
with 249CB3771750745D5CDD323CE267B052364F028D, rsa2048 with
124124BD3B4862AF7A0A42F100B45EBD4CA7BABE. It annoys me somehow.
> If I now try to decrypt something which is encrypted for
> identity2 at example.com would the gpg-agent/scdaemon be smart enough to
> ask the correct smartcard with the right identity/private key?
If there is no token inserted, it fails. If a correct token is inserted,
it goes well. If a different token is inserted, GnuPG asks a user to
remove a different token and to insert another token. This is the current
behavior.
There is a small problem yet. When GnuPG sees an encrypted message
for both of E267B052364F028D, 00B45EBD4CA7BABE, it handle a possible
key in a sequence (as listed in an encrypted message). Suppose key
list is: E267B052364F028D and 00B45EBD4CA7BABE, and I already inserted
a token for 00B45EBD4CA7BABE in my computer. GnuPG asks me to change
a token when it finds E267B052364F028D in an encrypted message, even if
the message can be decrypted by the token inserted already.
--
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20160809/733b1db9/attachment.sig>
More information about the Gnupg-users
mailing list