Change OpenPGP Smartcard PIN retry counter

Chandler Davis me at chandlerdavis.cc
Wed Nov 19 22:43:11 CET 2025 

On 11/19/25 4:04 PM, Borden via Gnupg-users wrote:

> What's the control on this to stop a bad actor from stealing an > OpenPGP card and setting the reset count to 99999? I know you > 
alluded to hardware implementation, but does the spec require the > 
level 2 password to change this, if it can?

Ah yes, sorry I forgot to mention it requires the Admin PIN a.k.a. PW3 
to change the max attempts.

Just to get my terminology straight:

PW1 (User PIN) - Used for signing and decryption operations

RC (Reset Code) - Only valid for resetting PW1 after reaching max 
attempts. PW3 can be used for this as well.

PW3 (Admin PIN) - Used for sensitive admin operations, such as changing 
the max attempts for PW1 (if supported).

I pulled most of this from section 4.3 of the specification available 
here: https://gnupg.org/ftp/specs/OpenPGP-smart-card-application-3.4.1.pdf

Hope that helps!

-- 
Best,
Chandler Davis

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x00F83CBBF56EBE81.asc
Type: application/pgp-keys
Size: 1774 bytes
Desc: OpenPGP public key
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20251119/95f0e4c9/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20251119/95f0e4c9/attachment.sig>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: publickey - Chandler Davis - 0x806B3070.asc
Type: application/pgp-keys
Size: 1331 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20251119/95f0e4c9/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 322 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20251119/95f0e4c9/attachment-0001.sig>

More information about the Gnupg-users mailing list