GnuPG with OpenPGP card implementation

To: debian-user@lists.debian.org
Subject: GnuPG with OpenPGP card implementation
From: NIIBE Yutaka <gniibe@fsij.org>
Date: Thu, 10 Oct 2013 10:28:39 +0900
Message-id: <[🔎] 1381368519.3203.8.camel@cfw2.gniibe.org>

# I'm not on this list.  Please add CC to me for your reply.

Recently, I read discussion about use of OpenPGP cards by Debian
people (for Debian development).  It would be off-topic there, I am
writing here.

Since 2010, for GnuPG development, I have been trying to improve the
support of card readers (including VASCO DIGIPASS 920 and Gemalto
PinPad Smart Card Reader) and OpenPGP card implementations (The
OpenPGP card [1], CryptoStick [2], and my FST-01 [3] with Gnuk [4]).

While it got improved and GnuPG works well with certain hardware and
configuration stably (e.g., Gnuk Token is my daily use, at least), the
coverage of hardware support, OS support, and its stability in general
are far from perfect.  I have to address that.

Especially, the support of PIN input by pinpad of card reader is very
limited, and it's difficult for standardization reason.  For example,
we need special configuration for a specific card reader with pinpad,
because of card reader's limited capability [5].

I couldn't say,

	Let's use OpenPGP card implementations!

to wider audience, in general (as of GnuPG 2.0.22).  Although I'd
recommend everyone to hold his/her secret keys on one of OpenPGP card
implementations, instead of your normal PC, it's not always easy.

When a person buy a OpenPGP card/token and a random card reader, it is
likely that GnuPG doesn't work with them on his environment as
expected.  If the expectation is something like "out of the box" and
"fully functional", it won't be fulfilled.

I think that we need to accumulate users experiences of using OpenPGP
cards.

To begin with, could you please read and add your information to this
page (if you are OpenPGP card user)?

	https://wiki.debian.org/GnuPG/CCID_Driver

Recently, the site http://wiki.gnupg.org/ becomes available, too.
It's also good to share experiences there.

Other than pinpad input and card reader, most common discrepancy would
be key length of RSA, perhaps.  It was GnuPG 2.0.20 (released May,
2013) which fully supports RSA 4096-bit for OpenPGP card.  Gnuk Token
only supports RSA 2048-bit.  GnuPG's default is RSA 2048-bit.

Well, if you have time and some basic skill of electronics and
embedded system, I'd like to invite you to build your own Gnuk OpenPGP
token.  We have a good article [6].

[1] http://g10code.com/p-card.html
[2] https://www.crypto-stick.com/
[3] http://www.seeedstudio.com/wiki/FST-01
[4] https://gitorious.org/gnuk
[5] http://wiki.gnupg.org/CardReader/GemaltoPC
[6] http://blog.asmw.org/2013/09/11/gnuk-openpgp-2-0-token/
--

Reply to:

Follow-Ups:
- Re: GnuPG with OpenPGP card implementation
  - From: "Jeremy T. Bouse" <jbouse@debian.org>

Prev by Date: Set widescreen resolution in console
Next by Date: Re: mdadm gives segmentatin fault on wheezy. RAID array now incomplete.
Previous by thread: RE: Set widescreen resolution in console
Next by thread: Re: GnuPG with OpenPGP card implementation
Index(es):
- Date
- Thread