Do smartcards stay unlocked forever by design?
Werner Koch
wk at gnupg.org
Tue Jan 18 23:45:27 CET 2011
On Mon, 17 Jan 2011 22:03, kgo at grant-olson.net said:
> 1) Once I enter my pin, the card is unlocked as long as it's connected.
It depends on the card application. For the OpenPGP card it is true for
key 2 and 3. For key 1 see below. A reset operation locks the keys
again. (Try: gpg-connect-agent 'scd reset' /bye)
> 2) I get prompted when making a signature because the sig counter gets
> incremented, and that's a write operation to the card. Decrypting and
No, that is because the forcesig flag is set; this requires a verify
command before a crypto command with key 1. "gpg --edit-key", then
"admin" and then "forcesig" toggles this flag.
> 3) The proper way to 'lock' the card is to remove it from the reader.
Yeah, powering it down is a pretty reliable way to lock all keys.
Recall that the card is a regular computer - a bit small by todays
desktop standards, but still a fully working CPU with RAM, ROM and I/O.
Removing it from the readers is like pulling out the mains plug.
Shalom-Salam,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
More information about the Gnupg-users
mailing list