problem signing with a smart card

Peter Lebbing peter at digitalbrains.com
Thu Jan 21 16:13:14 CET 2016 

On 21/01/16 15:47, Andrew Gallagher wrote:
> overwrite the smartcard key with a newly generated key

Wait... Maybe I'm not following correctly, but to me it sounds like:

- Antoine has an encryption key on his smartcard, but no backup.
- If it is no longer possible to use the smartcard to decrypt data with,
Antoine will lose access to all his previously encrypted data.
- So to remedy, you suggest he replaces the *only copy* he has of that
key with a new one which does have a backup.

In effect, removing the fear of losing the key in the future by getting
it over with and losing the key now. That's rather cynical.

Is there any data already encrypted to that key?!

> (making sure NOT to "save" afterwards, see previous email) and republish.

If you do save accidentally, remove they newly generated subkey before
publishing and start over. If you haven't published it yet, there's no
need for revocation, just remove it with delkey.

> Maybe try the process out with a new temporary key to be sure you're
> doing it right (don't publish it, of course).

That is very good advice in general.

>> PS2: I can do the same with my authentication key, because if my key is
>> compromise, my SSH server don't know it ! Right?
> 
> Yes.

Let's talk about two separate issues:

- If the smartcard breaks, you don't have access to the key anymore and
you need some alternative way of getting a new key authorized (the
normal way being to log in and add it to authorized_keys, but you can't
login with the old key anymore because the smartcard broke).

- If your authentication subkey is /compromised/, you can still log in
to the SSH server, install a new key by editing authorized_keys, and at
the same time remove the old key from there. However, so can your
attacker. Having a key backup doesn't help against compromise.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

More information about the Gnupg-users mailing list