several GPG smartcards connected at the same time

Werner Koch wk at
Tue Aug 9 10:56:35 CEST 2016

On Tue,  9 Aug 2016 08:57, ndk.clanbo at said:

> If GnuPG supported PKCS#11 it would open a whole new world, like the
> ability to use generic cards.

Nope.  That is entirely unrelated.  PKCS#11 is a clumsy standard to
allow the use of proprietary cards using proprietary
middleware/drivers/whatever_they_call_it.  If you have an open
specification for a card you can easily write the required glue code and
add it to scdaemon.  You may also use a PKCS#15 card and scdaemon would
work just fine with it - if there would not be so many different flavors
of that standard.

Using more that one card is more of an organisational problem.  10 years
ago or so I did some tests and it basically worked.  However, back then
it was hard enough to convince people to buy just _one_ reader and thus
I dropped all efforts to make multipe reader/card support well working.

It is also questionable whether having two cards plugged in is a good
idea: You increase the attack surface and malware can make use of any of
those cards.  This makes it hard for a user to notice unexpected use of
a card.

>From a practical point of view I would love to see support for two
cards: When doing a release I have to swap my cards for commit
signatures and release signatures all the time.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
 /* Join us at OpenPGP.conf  <> */

More information about the Gnupg-users mailing list