On 01/17/2011 04:03 PM, Grant Olson wrote: > I've been using a smartcard for several months now. It's a cryptostick > if the model is important. Every time I sign something, it asks me for > my pin. But once the card is unlocked, ssh authentication and > decryption seem to happen forever, regardless of any ttl-cache settings > in gpg-agent.conf. I just want to make sure I understand the semantics > correctly. > > It seems: > > 1) Once I enter my pin, the card is unlocked as long as it's connected.
Yes. > 2) I get prompted when making a signature because the sig counter gets > incremented, and that's a write operation to the card. Decrypting and > authenticating don't prompt because the operations don't write to the card. I think it's rather because signing is considered more precarious than decrypting or authenticating and not because it involves a write operation. You can disable this behavior by changing the signature PIN flag to 'not forced' with 'gpg --card-edit'. > 3) The proper way to 'lock' the card is to remove it from the reader. Yes, or if you can reload the scdaemon with 'gpgconf --reload scdaemon'. This should have the same effect. I wrote a small script that does this for me whenever the smartcard hasn't been used for some time. I do this to reduce the chance that someone can use the unlocked card while I'm away or when I forget to pull the card. Marco _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
