Talking about Cryptodevices... which one?

Andreas Schwier andreas.schwier.ml at cardcontact.de
Sat Jan 24 18:14:01 CET 2015 

> Here we go.
> 
> (a) OpenPGPcard compatible device
> 
> With those devices which conform to OpenPGPcard specification, it is
> possible to offer its users following features, using GnuPG and
> related tools.
> 
>    (1) OpenPGP support
>    (2) SSH support thorough gpg-agent
>    (3) X.509 support
>        S/MIME
>        SSL/TLS client certificate authentication
> 
> Because those devices are intended to be used for OpenPGP, OpenPGP
> support is superior.
> 
> But the support for #3 is somehow experimental.  Honestly, I don't use
> those features with my device, but just do experiments time to time.
> 
> For OpenPGPcard compatible, we can check existing (or existed)
> "manufacturer" list in the source code, specifically, the function
> get_manufacturer in gnupg/g10/card-util.c.
> 
> 
> (b) (Ab)using other devices with GnuPG
> 
> GnuPG has support of some existing smartcard/token not designed for
> OpenPGP.
> 
> With those devices, I guess that OpenPGP support would be secondary,
> but X.509 support could be considered superior.
> 
> We can check the source code, gnupg/scd/app-*.c (other than openpgp)
> for those support.  There are:
> 
> 	DINSIG (DIN V 66291-1) card
> 	German Geldkarte
> 	Telesec NKS card
> 	pkcs#15 card
> 	SmartCard-HSM card
> 
> ... but I think that most are outdated, except the last one.
And I would love to use that last device to store my PGP keys as well.
Unfortunately there is a certain resistance to support other devices
than cards conforming with the OpenPGPCard specification.

I want a device that can store all my keys independently of whether it's
a GNUPG key, a SSH key, a X.509 key, a DNSSEC key, a OpenVPN key,
because at the end it's just a private key - there is nothing special in
a GNUPG key that prevents me from storing it on a device other that a
OpenPGPCard.

And I don't want to be limited in the number and types of keys on that
device. And I want a secure key escrow scheme where I can backup and
restore sensitive key material - functions the OpenPGPCard specification
does not provide for.

Andreas


-- 

    ---------    CardContact Software & System Consulting
   |.##> <##.|   Andreas Schwier
   |#       #|   Schülerweg 38
   |#       #|   32429 Minden, Germany
   |'##> <##'|   Phone +49 571 56149
    ---------    http://www.cardcontact.de
                 http://www.tscons.de
                 http://www.openscdp.org
                 http://www.smartcard-hsm.com

More information about the Gnupg-users mailing list