exclusive vs. shared smart card access
Jacob Appelbaum
jacob at appelbaum.net
Sat Aug 29 15:12:12 CEST 2015
Dear Jan,
On 8/28/15, Jan Suhr <jan at nitrokey.com> wrote:
> Hi Niibe and who it may concern!
> This issue has been discussed previously but since Werner seems to be
> positive about it now, I will give it another try:
>
> GnuPG uses an exclusive mode when accessing OpenPGP Cards. This
> prevents, or at least makes it complicated, to use OpenPGP Cards with
> GPG and other applications on the same system. In fact it is a repeating
> problem Nitrokey users are reporting. To my knowledge most other
> software (e.g. OpenSC, PKCS#11 drivers) use shared access rather than
> exclusive access. It seems to be best practice.
>
> We tested GPG in shared mode for several weeks and couldn't find any
> issue. Also the performance seems to be identical. Hence I would like to
> request changing smart card access to shared mode.
>
> The necessary modification is simple: Change the third parameter of
> pcsc_connect() from PCSC_SHARE_EXCLUSIVE to PCSC_SHARE_SHARED at:
> GPG 1.4: Once in g10/apdu.c
> GPG 2.0: Once in scd/apdu.c and twice in scd/pcsc-wrapper.c
> GPG 2.1: Once in scd/apdu.c
What are the security considerations of this change? Would this allow
one application to auth to the card and another application to perform
operations, for example? If not, has anyone confirmed that?
All the best,
Jacob
More information about the Gnupg-devel
mailing list