Paul,
On Mon, April 11, 2016 3:21 pm, Peter Gutmann wrote:
Derek Atkins <derek(_at_)ihtfp(_dot_)com> writes:
Are you expecting this would work in a vacuum? I.e., would you expect
that
you can take your OpenPGP smart card to a fresh system on which you've
never
used OpenPGP ever and be able to plug in that smart card and have it be
able
to sign a document?
I'm not sure what OpenPGP cards have to do with this, since I'm talking
about
PKCS #11. I can use a PKCS #11 device with X.509, with S/MIME, with TLS,
with
SSH, with IKE, and quite probably with a number of other, lesser-known
Internet security protocols. The one significant one I can't use it with
is
PGP.
Sorry, by "OpenPGP Card" I mean "a smart card to use with OpenPGP".
You can absolutely use PKCS#11 with PGP; there are plenty of instances
today where that is the case. You just need an implementation where the
secring.skr file contains the reference handle to your smartcard key
materials.
More specifically: when you have your card generate your key material,
you pull off the public key and then generate your public key, compute
your fingerprint data (including OpenPGP metadata), and also create
secring data
that contains whatever PKCS#11 reference data you need to re-access that
key. Later when you use that card/key you know how to reference it.
So what exactly is the issue?
Is this a real use case?
Yes, see above.
It depends. If I've got an X509 cert I can convert that to an OpenPGP
cert,
and all the appropriate metadata is there.
You still can't use it with PKCS #11.
Sure you can.
Peter.
-derek
--
Derek Atkins 617-623-3745
derek(_at_)ihtfp(_dot_)com www.ihtfp.com
Computer and Internet Security Consultant
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp