gnupg-pkcs11 status & future
Martin Konold
martin.konold at erfrakon.com
Sat Feb 27 09:29:21 CET 2016
Am Freitag, 26. Februar 2016, 15:18:55 CET schrieb Werner Koch:
Hi,
> In any case you need to load the keys onto the card and don't have the
> card create the key. Smartcards may break and then you would not be
> able to decrypt anything if you don't have an offline backup the key.
Please allow me to mention that many smartcards disallow cleartext export of
keys generated on the card while also don't allow to import cleartext private
keys.
But this is not a backup issue as most cards also allow for n-of-m threshold
schemes and DKEK/key-wrapping e.g. http://www.smartcard-hsm.com/2014/09/25/
Desaster_Recovery_for_your_SmartCard-HSM.html
IMHO there are additional legit use cases where having multiple private keys
for decryption would be more than useful. Today I circumvent the limit by
using multiple OpenPGP Cards and multiple GNUPGHOME directories each configured
for a different USB device (scdaemon.conf)
While imho pkcs#11 is ugly it really is a tool to gain interoperability while
cleaning up a lot of mess (many people are confused with the current
situation) and make encryption available to the masses.
Kind Regards
--martin konold
--
Dipl.-Physiker Martin Konold
e r f r a k o n Partnerschaftsgesellschaft
Erlewein, Frank, Konold & Partner - Beratende Ingenieure und Physiker
Registergericht: Amtsgericht Stuttgart PR 126
Firmensitz: Adolfstraße 23, 70469 Stuttgart
fon: 0711 67400963
fax: 0711 67400959
email: martin.konold at erfrakon.de
http://www.erfrakon.com
More information about the Gnupg-users
mailing list