Should Poldi lock the smart card when the screen locks?

Alexander Paetzelt | Nitrokey alex at nitrokey.com
Tue Sep 24 09:21:58 CEST 2019


Hey,

I found it odd too. I have two thoughts on that.

* The reason for using a smartcard to unlock a computer is to have a
second factor. Locking the screen but leaving the card inside the
computer is therefore like disabling the second factor. One could argue
that you shouldn't do that anyway. Unplugging the card disables the
described problem.
* On the other hand, the situation now is like disabling both factors,
so this is quite bad, especially because people tend to just forget stuff...

What I was thinking about is a function in the OpenPGP Card standard
since version 3.1. It is possible to use the VERIFY command to reset the
access status to 'not verified' (see 7.2.2 of the current standard). [1]
This may does the trick. Of course, this solution would be limited to
OpenPGP Cards only.

@Niibe Gnuk does only support OpenPGP Card 2.1 (besides ECC keys) yet,
right?

Kind regards
Alex

[1] https://gnupg.org/ftp/specs/OpenPGP-smart-card-application-3.3.1.pdf

On 20.09.19 18:39, Franklin, Jason wrote:
> Greetings,
> 
> I'm continuing my work on the integration of Poldi and the KDE screen
> locker.
> 
> Currently, when the user locks the screen and leaves their smart card
> inserted, the smart card remains unlocked.  Thus, the screen can be
> locked and the user (or someone else!) can simply press <Enter> to
> unlock the desktop.
> 
> My question is simple: What component should be modified to make sure
> the smart card is locked when the screen is locked, thus requiring the
> user to enter the GPG card passphrase to unlock the card and then the
> desktop?
> 
> This would make the locker behave as expected.
> 



More information about the Gnupg-devel mailing list