On Thu, 19 Sep 2019 00:13, uri@mit.edu said:
> Another problem is that GnuPG insists on opening the card in an
> exclusive mode - which is unacceptable for cards/tokens with multiple
> applets (OpenPGP and PIV is what I've got), as different apps require
Actually this is a another reason to have exclusive access. It allows
us to switch between the PIV and OpenPGP apps on a Yubikey as needed.
> use of both applets, sometimes running in parallel - like a browser
> session that uses PIV to authenticate to the server, an email session
> that may use both PIV and OpenPGP applets to deal with S/MIME and
> PGP/MIME emails, and occasional SSH operations during that time.
That is exactly the use case we have implemented. Needs more testing
with several cards but a single Yubikey works well enough known in 2.3.
To make testing easier we have Debian packages of gnupg master (to be
2.3) and scute (our pkcs11 provider) available:
deb [arch=amd64] https://ftp.g10code.com/apt buster gnupg-beta
deb [arch=amd64] https://ftp.g10code.com/apt stretch gnupg-beta
deb [arch=amd64] https://ftp.g10code.com/apt cosmic gnupg-beta
The version currently available do not yet include gniibe's latest
changes. I was able to use gpg for signing and encrypting with a card
while also accessing PIV key protected pages with Firefox. Earlier this
year I also did tests with Thunderbird which also worked. Yubikey 5 and
4 are supported. You may want to have a look at the new gpg-card tool
and its man page. Also gpg --full-gen-key and gpgsm --gen-key now show
a list of keys available on the current smartcard and allow to use them
for the generation of OpenPGP/X.509 certificates. --quick-gen-key has
also been enhanced to act upon the special algo parameter "card" with
the generation of a standard OpenPGP key based on the standard signing
and decryption key of the card (for OpenPGP, Netkey, and PIV cards).
Salam-Shalom,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
> Another problem is that GnuPG insists on opening the card in an
> exclusive mode - which is unacceptable for cards/tokens with multiple
> applets (OpenPGP and PIV is what I've got), as different apps require
Actually this is a another reason to have exclusive access. It allows
us to switch between the PIV and OpenPGP apps on a Yubikey as needed.
> use of both applets, sometimes running in parallel - like a browser
> session that uses PIV to authenticate to the server, an email session
> that may use both PIV and OpenPGP applets to deal with S/MIME and
> PGP/MIME emails, and occasional SSH operations during that time.
That is exactly the use case we have implemented. Needs more testing
with several cards but a single Yubikey works well enough known in 2.3.
To make testing easier we have Debian packages of gnupg master (to be
2.3) and scute (our pkcs11 provider) available:
deb [arch=amd64] https://ftp.g10code.com/apt buster gnupg-beta
deb [arch=amd64] https://ftp.g10code.com/apt stretch gnupg-beta
deb [arch=amd64] https://ftp.g10code.com/apt cosmic gnupg-beta
The version currently available do not yet include gniibe's latest
changes. I was able to use gpg for signing and encrypting with a card
while also accessing PIV key protected pages with Firefox. Earlier this
year I also did tests with Thunderbird which also worked. Yubikey 5 and
4 are supported. You may want to have a look at the new gpg-card tool
and its man page. Also gpg --full-gen-key and gpgsm --gen-key now show
a list of keys available on the current smartcard and allow to use them
for the generation of OpenPGP/X.509 certificates. --quick-gen-key has
also been enhanced to act upon the special algo parameter "card" with
the generation of a standard OpenPGP key based on the standard signing
and decryption key of the card (for OpenPGP, Netkey, and PIV cards).
Salam-Shalom,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.