How to sign a PDF using a DNIe

NIIBE Yutaka gniibe at fsij.org
Tue Jun 28 04:16:03 CEST 2016


On 06/17/2016 01:17 PM, NIIBE Yutaka wrote:
> I'd recommend to seek other software instead.
> 
> Simply, general smartcard is not supported.  It seems that you have an
> illusion that GnuPG and its scdaemon can support any smartcard in
> general.  No, we can't.
> 
> Fundamentally, while OpenPGPcard can be under control of its user,
> general smartcard is designed in the situation that it is under
> control by its issuer ( card is usually not a user's property ).

Last week, I was asked in person, about the possibility of using a
smartcard issued by Japanese government, with GnuPG for OpenPGP and
SSH.  So, I add my comment more.

In my opinion, it's not relevant to use such a card in order to
protect our privacy, even if the technology of the device were great,
even if the availability were good and cost were cheap.

For the specific card, for example, it is issued at a public office
for citizen and we need to enter PIN with a computer in the office
when a key is generated (I don't know if it is really generated there
or not, but they claim so).

Even if the device were great, I don't want to use such a private key
generated by those environment, for myself, for use of GnuPG to
protect my own privacy.  That's because the environment is not
controlled by me at all.  Thus, it is impossible for me to ensure the
private key is only available in the card securely, or my PIN is not
recorded.  On the other hand, I happened to know that the computer has
full of proprietary software (as usual), which no one (at least, no
one at the public office) can control.

The structure is: It's not my device, but someone's; They let me use
the card.  It would be considered healthy for me to think about the
likelihood of honey-pot/trap or other kinds of attack vectors, when I
try to use the card for other purpose.

I think that I only use such a card only when it is mandatory by the
government.



I think that it is opposite way what we should make it possible.  Let
a government accept signature which is generated by our own
smartcard/token with free software.  Or let a governor certify our own
public key, where the private key is in our own smartcard/token.
-- 



More information about the Gnupg-users mailing list