Bridging the airgap

Dirk-Willem van Gulik dirkx at webweaving.org
Mon Aug 7 13:18:17 CEST 2017


> On 7 Aug 2017, at 12:13, Neal H. Walfield <neal at walfield.org> wrote:
> 
> On Sun, 06 Aug 2017 19:53:14 +0200,
> Dirk-Willem van Gulik wrote:
>> As per the IRC discussion - below is a slightly hacked testscript of
>> ours that allows you to abuse a suitable chipcart or yubico PGP card
>> with x509 functionality to `bridge' an airgap during generation
>> where one *also* wants the public key to be transported of the
>> secure initial generation (or renewal of the expiry of the subkeys)
>> by means of a smartcart itself (which you sort of axiomatically need
>> to be able to trust they airgap).
> 
> This is a neat idea.  Did you try using OpenPGP private DOs (data
> objects) to store this data?  

Yes !

> See 4.4.3.1 of the OpenPGP card spec:
> 
>  https://gnupg.org/ftp/specs/OpenPGP-smart-card-application-3.3.pdf
> 
> I'd be interested to hear what cards have enough space for this.

We’ve never used/seen cards newer than 2.1 (or have any which respond to DO 7F66); on those 2.1 applets — I think that 101 et.al. is just shy of 255 bytes.

We’ve been using mixed x509 and openpgp cards/usb-sticks.

Any suggestions for pure open-pgp cards that are newer ?

Dw.


More information about the Gnupg-devel mailing list