Storing key on multiple smartcards
Frederick Zhang
frederick888 at tsundere.moe
Fri Apr 19 18:34:28 CEST 2019
> Sorry, I can't understand how your patch solves your particular
> problem.
There are 2 issues in my case:
1. When `-u` is given, GPG selects the latest secret subkey from those
which have the desired capability, but keys that can be found on disk or
in a currently accessible smart card should actually be preferred.
2. The current shadow key mechanism does not allow the same subkey to be
stored on disk and/or one or more smart cards at the same time.
My patch fixes only the first one (partially). It prioritises the secret
subkey which is stored in the smart card that's being used right now
among all those that can reach
<https://dev.gnupg.org/source/gnupg/browse/master/g10/getkey.c;dc93e57226db32d5b90884dcf768d271baa6628a$3517>.
> Perhaps, better approach would be using a serial number only as a
> hint, extending keygrip-centric approach of gpg-agent.
That sounds great! I was thinking that working around the current shadow
key logic might require fewer changes but removing serial numbers from
shadow keys is indeed better. If the serial numbers can be saved in
plain text files, not only the duplicate data across shadow keys in my
proposal can be avoided, it will also allow users to easily manage the
info and store additional metadata like nicknames as you mentioned.
> For warning message at keytocard command, I think that Peter's
> suggestion makes sense, but please don't mix separate things. It is
> related somehow, but I think it is better to be handled seperately.
Sure. This is something that we can get out of the door quickly and it's
not influenced by the other 2 problems. Do you want me to start another
thread to nail down the wording?
Peter also mentioned a new option for the keytocard command which allows
users to keep the keygrip untouched after transferring the secret key to
a smart card. Shall we move the discussion about this to the new thread
as well?
--
Best Regards,
Frederick Zhang
Email: frederick888 at tsundere.moe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20190420/6e7171e2/attachment-0001.sig>
More information about the Gnupg-devel
mailing list