On Wed, Apr 24, 2019 at 10:01 AM Marek Szuba <mare...@gentoo.org> wrote: > > On 2019-04-24 13:41, Rich Freeman wrote: > > > What is the recommended way to create an on-card key? > > I haven't got my NitroKey yet but between the specifications (which say > NK2 can hold up to 3 private RSA keys) and my prior experience with > OpenPGP smartcards (which have always had at most one slot each assigned > to authentication, encryption and signing), chances are pretty high you > cannot have two separate signing keys in hardware. If so, your best bet > is probably to generate the primary key in software (preferably with > usage bits stripped down so that it can ONLY be used for signing keys), > generate hardware subkeys associated with it, then stash the private > primary key away somewhere. >
Well, in that case recommendations for how to generate a key that complies in software would be helpful. There used to be a wiki article on it, but it is marked with various warnings saying it isn't recommended to follow it, and has seemingly vanished with a note that it moved somewhere. Aside from that, it seems a bit odd to issue devs Nitrokeys (at significant expense to both the Foundation and a kind sponsor), then require a key design that can't actually be stored on the Nitrokey. A Nitrokey-generated key is going to be way more secure than the way 99% of devs will actually implement what seems to be intended, which is to just generate their keys on a regular online host, and probably just leave it there. If it is the case that Nitrokeys can't support a separate primary key, I'd suggest modifying the GLEP to remove that requirement when a smartcard is in use. Its main purpose is to keep a key component offline, and if the key is generated on the card that is already accomplished. Maybe somebody has a suggestion for how to make the two work together, otherwise I'll go ahead and suggest a GLEP revision for the next Council meeting. -- Rich
