[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: GnuPG with OpenPGP card implementation

I actually use my v2.0 OpenPGP card daily and have just been notified that my new order was just shipped today. 

I have a built-in smartcard reader on my laptop:
Bus 002 Device 004: ID 0a5c:5800 Broadcom Corp. BCM5880 Secure Applications Processor
And then I have a USB SCM331 reader I got while on a government contract:
Bus 007 Device 002: ID 04e6:e001 SCM Microsystems, Inc. SCR331 SmartCard Reader
Both work fine using as my SSH authentication key and with both gpg 1.4.12 and gpg2 2.0.19. I currently am only using 3072bit keys though I'm looking forward to seeing if the new cards I ordered will handle 4096bit as I've read it is supposed to be supported with gpg2 2.0.18+ and newer batches of the v2.0 cards.
In my case, per my key policy, my openpgp cards are just the sub-keys as my primary key is kept offline on an encrypted drive in my vault. 

On 09.10.2013 21:28, NIIBE Yutaka wrote:

# I'm not on this list.  Please add CC to me for your reply.

Recently, I read discussion about use of OpenPGP cards by Debian
people (for Debian development).  It would be off-topic there, I am
writing here.

Since 2010, for GnuPG development, I have been trying to improve the
support of card readers (including VASCO DIGIPASS 920 and Gemalto
PinPad Smart Card Reader) and OpenPGP card implementations (The
OpenPGP card [1], CryptoStick [2], and my FST-01 [3] with Gnuk [4]).

While it got improved and GnuPG works well with certain hardware and
configuration stably (e.g., Gnuk Token is my daily use, at least), the coverage of hardware support, OS support, and its stability in general 
are far from perfect.  I have to address that.

Especially, the support of PIN input by pinpad of card reader is very
limited, and it's difficult for standardization reason.  For example,
we need special configuration for a specific card reader with pinpad,
because of card reader's limited capability [5].

I couldn't say,

	Let's use OpenPGP card implementations!

to wider audience, in general (as of GnuPG 2.0.22).  Although I'd
recommend everyone to hold his/her secret keys on one of OpenPGP card
implementations, instead of your normal PC, it's not always easy.
When a person buy a OpenPGP card/token and a random card reader, it is 
likely that GnuPG doesn't work with them on his environment as
expected.  If the expectation is something like "out of the box" and
"fully functional", it won't be fulfilled.

I think that we need to accumulate users experiences of using OpenPGP
cards.

To begin with, could you please read and add your information to this
page (if you are OpenPGP card user)?

	https://wiki.debian.org/GnuPG/CCID_Driver

Recently, the site http://wiki.gnupg.org/ becomes available, too.
It's also good to share experiences there.
Other than pinpad input and card reader, most common discrepancy would 
be key length of RSA, perhaps.  It was GnuPG 2.0.20 (released May,
2013) which fully supports RSA 4096-bit for OpenPGP card.  Gnuk Token
only supports RSA 2048-bit.  GnuPG's default is RSA 2048-bit.

Well, if you have time and some basic skill of electronics and
embedded system, I'd like to invite you to build your own Gnuk OpenPGP 
token.  We have a good article [6].

[1] http://g10code.com/p-card.html
[2] https://www.crypto-stick.com/
[3] http://www.seeedstudio.com/wiki/FST-01
[4] https://gitorious.org/gnuk
[5] http://wiki.gnupg.org/CardReader/GemaltoPC
[6] http://blog.asmw.org/2013/09/11/gnuk-openpgp-2-0-token/
--
Reply to: