Re: several GPG smartcards connected at the same time

Mon, 08 Aug 2016 17:42:05 -0700 

On 08/08/2016 07:27 PM, Cornelius Kölbel wrote:
> I am wondering if it is possible to have several GnuPG Smartcards
> connected. 

Currently, this configuration is not supported by scdaemon.  I don't
know any portable technical solution (supporting GNU/Linux, Windows,
and MacOS X, etc.) to handle multiple card readers (and/or cards)
simultaneously by a single application.

Now, GnuPG 2.1 internal CCID driver has migrated to newer libusb.  So,
I think that we can consider a solution by the internal CCID driver,
supporting multiple card readers (or card) simultaneously by a single
application.  I don't know how a possible libusb solution is portable,
though.

> Let's assume I have several smartcards, 
> one has a PGP key of iden...@example.com, the other of
> identi...@example.com.

In fact, I am using multiple tokens daily for gni...@fsij.org; ed25519
with 249CB3771750745D5CDD323CE267B052364F028D, rsa2048 with
124124BD3B4862AF7A0A42F100B45EBD4CA7BABE.  It annoys me somehow.

> If I now try to decrypt something which is encrypted for
> identi...@example.com would the gpg-agent/scdaemon be smart enough to
> ask the correct smartcard with the right identity/private key?

If there is no token inserted, it fails.  If a correct token is inserted,
it goes well.  If a different token is inserted, GnuPG asks a user to
remove a different token and to insert another token.  This is the current
behavior.

There is a small problem yet.  When GnuPG sees an encrypted message
for both of E267B052364F028D, 00B45EBD4CA7BABE, it handle a possible
key in a sequence (as listed in an encrypted message).  Suppose key
list is: E267B052364F028D and 00B45EBD4CA7BABE, and I already inserted
a token for 00B45EBD4CA7BABE in my computer.  GnuPG asks me to change
a token when it finds E267B052364F028D in an encrypted message, even if
the message can be decrypted by the token inserted already.
--

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Reply via email to