generate keys on smartcard?
Werner Koch
wk at gnupg.org
Thu Dec 12 22:13:02 CET 2002
On Thu, 12 Dec 2002 02:02:45 +0100, Bernd Eckenfels said:
>> Even if a key was uploaded to the smartcard it won't be possible to
>> retrieve it again.
> Typically this feature is done to protect the user from himself. Like for
> example required for the Signaturgesetz (Signature Law in Europe).
The real advantage is that you can't trojan a machine to read out the
secret key. Without a well equipped lab it is even hard to probe a
modern card to get the key out.
> I think the key generation can be triggered by (card) vendor tools, this is
> not a big deal. The only thing in GPGs case would be to
There is actually an ISO commands to generate a keypair (INS 0x46),
although you need vendor specific parameters. Not a big deal and
tehre is no need to use a vendor tool - a card without available specs
might have otehr problems too.
> a) work with the smartcard crypto interface, which is also needed for those
> smart cards which allow the key to be loaded
Thsi will be an extension of the scdaemon from the Aegypten project.
> c) be able to use a smart card stored certificate to validate signatures (at
> least retrieve that certificate and put it in keystore)
Or store the fingerprint of some well known keys.
> The last option is needed, but that way a ca issued smartcard will also be
> the vehicle to deliver the ca's root cert to the user.
Ah well, I am thinking more of PGP than X.509. For X.509 keys stored
in a pkcs-15 application we already have good support. However
getting these cards is not easy unless you are Finnish, Swedish or
Estonian citizen.
Salam-Shalom,
Werner
More information about the Gnupg-devel
mailing list