At Thu, 21 Jul 2005 13:09:40 +0200, Zeljko Vrba wrote: > > I'd like to do PGP with a Smartcard that contains my main private > > key (I > > I have made a patch to support 3rd party smart-cards with GPG using > PKCS#11 interface. > > In the mean time I have abandoned the development, however another > kind individual has picked up from where I have left. In a private > communication he has said to make it work with Cryptoflex 32k and > PKCS#11 drivers from OpenSC and from the MUSCLE project.
This does indeed look very interesting. However, at the moment I don't have a CryptoFlex 32k at hand and time doesn't permit me to play too much with this smart card stuff. For the time being, I may simply buy an OpenPGP card with support for 1024 bit keys and use that for my day to day use. After all, 1024bit keys still seem to be quite secure. There have been some rumors that say otherwise, but they seem to be based on misunderstandings (at least that's what RSA says in a 2002 technical note [1]). > We both believe that the most useful usage scenario is master key on > the smart-card with subkeys on the disk, as usual. Huh? AFAICS, in general it is more important to have the subkeys on a smart card than the master key. After all the master key can be stored in a safe place at home (e.g. on a CD, though a smart card would be more secure). The subkeys are usually carried around and are, thus, easy subject for thieves. Also for a cracker it should usually be much easier to gain access to an everyday-machine with Internet access than it is to get access to a system primarily used for maintaining PGP keys (such a system should not have network access and, for additional security, it should be booted from a reasonably tamper proof device, e.g. from a Knoppix CD off a recently bought computer journal). > You can read more about the state of affairs about this (including the > relevant links) on http://zwillow.blogspot.com/ I read about the licensing issue that you complain about in your blog. Although, I say that combining incompatible licenses is a no-no, I would appreciate it if GPG would incorporate an interface to PKCS#11 since both issues are essentially unrelated. [1] http://www.rsasecurity.com/rsalabs/node.asp?id=2007 -- Felix E. Klee _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
