How to sign a PDF using a DNIe

NdK ndk.clanbo at gmail.com
Tue Jun 28 10:42:48 CEST 2016


Il 28/06/2016 04:16, NIIBE Yutaka ha scritto:

> I think that it is opposite way what we should make it possible.  Let
> a government accept signature which is generated by our own
> smartcard/token with free software.  Or let a governor certify our own
> public key, where the private key is in our own smartcard/token.
That would be great, but I think it's an orthogonal issue.
When you get to use a smartcard, you are already giving up a lot of
control on your key, trusting something you can't control and hoping
certifiers did their work correctly and the units being sold are
completely like the tested ones.

The support for generic cards could be useful for other reasons. Say I
have a smartcard that could host 15 keys. I'd like to use one for web
auth, another for NFC auth, another for signing documents, another as my
primary GPG identity (certification), one for GPG auth, one for GPG
signing and the others for GPG decryption (just not to lose access to
older mails). Currently it's not possible, unless I use quite a lot of
different cards.

IMO the "ideal" solution would be a FIDO-like system, where keys are
kept, encrypted, on disk and uploaded as "blobs" to the card that
decrypts 'em and only then become useable. That would remove the limit
on the number of keys that could be kept on a card. But it's not
feasible with Java cards, I think (at least I couldn't make it work w/o
writing to the flash memory). That would be completely feasible with
FST-01...

BYtE,
 Diego



More information about the Gnupg-users mailing list