Mailing List Archive

On Freitag, 7. Juli 2023 11:19:47 CEST Juanjo via Gnupg-users wrote:
> I'm using "gpg (GnuPG) 2.3.3" on AlmaLinux 9 and it works fine with a
> single "YubiKey 5 USB (5.4.3) [CCID]".
>
> The issue comes when I plug more than one Yubikey.
>
> I can use "gpg --card-status all" to retrieve the information of all
> connected Yubikeys or "gpg --card-status ID" (where ID is the value from
> field "Application ID") to retrieve the information of a pacific Yubikey.
>
> I have tried to do the same with "gpg --card-edit" but this command does
> not support passing the ID of a specific Yubikey and it always selects the
> last plugged Yubikey.
>
> So, is there a way to select a specific Yubikey for the "gpg --card-edit"
> command?

You may have luck with setting a specific reader-port (see `man scdaemon`).

But, unless you need to use the command line, it's probably much easier to use
Kleopatra which supports multiple card readers and multiple card apps
(OpenPGP, PIV) per reader out of the box. Kleopatra doesn't support everything
`gpg --card-edit` or the new gpg-card tool support.

Regards,
Ingo

On Fri, Jul 7, 2023 at 12:07?PM Ingo Klöcker <kloecker@kde.org> wrote:
>
> On Freitag, 7. Juli 2023 11:19:47 CEST Juanjo via Gnupg-users wrote:
> > I'm using "gpg (GnuPG) 2.3.3" on AlmaLinux 9 and it works fine with a
> > single "YubiKey 5 USB (5.4.3) [CCID]".
> >
> > The issue comes when I plug more than one Yubikey.
> >
> > I can use "gpg --card-status all" to retrieve the information of all
> > connected Yubikeys or "gpg --card-status ID" (where ID is the value from
> > field "Application ID") to retrieve the information of a pacific Yubikey.
> >
> > I have tried to do the same with "gpg --card-edit" but this command does
> > not support passing the ID of a specific Yubikey and it always selects the
> > last plugged Yubikey.
> >
> > So, is there a way to select a specific Yubikey for the "gpg --card-edit"
> > command?
>
> You may have luck with setting a specific reader-port (see `man scdaemon`).

I have already tried this with no success.

> But, unless you need to use the command line, it's probably much easier to use
> Kleopatra which supports multiple card readers and multiple card apps
> (OpenPGP, PIV) per reader out of the box. Kleopatra doesn't support everything
> `gpg --card-edit` or the new gpg-card tool support.

I will take a look at this.

> Regards,
> Ingo

Thanks for your fast response Ingo.

Regards,
Juanjo

> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> https://lists.gnupg.org/mailman/listinfo/gnupg-users

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

On Fri, 7 Jul 2023 11:19, Juanjo said:

> I'm using "gpg (GnuPG) 2.3.3" on AlmaLinux 9 and it works fine with a
> single "YubiKey 5 USB (5.4.3) [CCID]".

You should get a recent version. Even Fedora comes with 2.4.0

> So, is there a way to select a specific Yubikey for the "gpg --card-edit"
> command?

GnuPG 2.3 and later supports several readers and thus the reader-port
option of scdaemon is not really useful anymore. Please have a look at
gpg-card [1], this new tool will eventually replace gpg --card-edit but
it is different because it supports all kind of cards. There is even a
yubikey control command. It depends on what you actually want to do.


Shalom-Salam,

Werner


[1] https://gnupg.org/documentation/manuals/gnupg24/gpg-card.1.html

--
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein

On Fri, Jul 7, 2023 at 1:12?PM Werner Koch <wk@gnupg.org> wrote:
>
> On Fri, 7 Jul 2023 11:19, Juanjo said:
>
> > I'm using "gpg (GnuPG) 2.3.3" on AlmaLinux 9 and it works fine with a
> > single "YubiKey 5 USB (5.4.3) [CCID]".
>
> You should get a recent version. Even Fedora comes with 2.4.0

OK, I will try to recompile gnupg RPM from Fedora sources.

> > So, is there a way to select a specific Yubikey for the "gpg --card-edit"
> > command?
>
> GnuPG 2.3 and later supports several readers and thus the reader-port
> option of scdaemon is not really useful anymore. Please have a look at
> gpg-card [1], this new tool will eventually replace gpg --card-edit but
> it is different because it supports all kind of cards. There is even a
> yubikey control command. It depends on what you actually want to do.

I will take a look at gpg-card.

Our setup is very simple, we disabled all NFC Applications on the
Yubikey and also disabled all USB applications except OPENPGP.

Then we generate a PGP certificate on Yubikey and use it to access our
servers via SSH (by using the ability of gpg-agent to act as
ssh-agent).
This works fine with a single Yubikey, but we wanted to have more than
one connected at the same time in order to batch-configure them and
even to try to use multiple SSH key authentication in specific target
servers.

> Shalom-Salam,
>
> Werner

Thanks for your fast response, Werner.

Regards,
Juanjo

> [1] https://gnupg.org/documentation/manuals/gnupg24/gpg-card.1.html
>
> --
> The pioneers of a warless world are the youth that
> refuse military service. - A. Einstein

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

On Fri, 7 Jul 2023 14:22, Juanjo said:

> This works fine with a single Yubikey, but we wanted to have more than
> one connected at the same time in order to batch-configure them and
> even to try to use multiple SSH key authentication in specific target

Most of the time I am using several Yubikeys and other smardcards. Some
even remotely. For example I use an SSH connection with socket
forwarding to out build server. Over that connection I provide access
to an Authenticode token, my release key and ssh keys on tokens.

I should eventually describe the environment. As a starter:
"no-autostart" in common.conf on the build box, gpg-card with "verify"
to unlock keys on the desktop for remote use by the build process
(Authenticode), and some keywords in the private key files (Use-for-p11,
Use-for-ssh).

To create keys, use gpg-card which can easily be scripted. Examples:

$ gpg-card list D2760001240100000006154932830000 \
-- yubikey disable nfc all \
-- yubikey disable usb otp u2f piv oath fido2 \
-- yubikey list
OTP no no
U2F no no
OPGP yes no
PIV no no
OATH no no
FIDO2 no no

$ gpg-card
[...]
gpg/card> help generate
GENERATE [--force] [--algo=ALGO{+ALGO2}] KEYREF

Create a new key on a card.
Use --force to overwrite an existing key.
Use "help" for ALGO to get a list of known algorithms.
For OpenPGP cards several algos may be given.
Note that the OpenPGP key generation is done interactively
unless a single ALGO or KEYREF are given.
[Supported by: OpenPGP, PIV]




Salam-Shalom,

Werner

--
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein

Werner Koch via Gnupg-users <gnupg-users@gnupg.org> wrote:
> On Fri, 7 Jul 2023 14:22, Juanjo said:

>> This works fine with a single Yubikey, but we wanted to have more than
>> one connected at the same time in order to batch-configure them and
>> even to try to use multiple SSH key authentication in specific target

> Most of the time I am using several Yubikeys and other smardcards.
> Some even remotely. For example I use an SSH connection with socket
> forwarding to out build server. Over that connection I provide access
> to an Authenticode token, my release key and ssh keys on tokens.

> I should eventually describe the environment.

Yes please.
Could it go into a wiki page or something that people can comment on and/or amend?

The need for more secure, and more reproduceable code-signing environments is
becoming critical. Today, tcpdump.org, for instance, has a rather old
code-signing key, and we want to replace it with some hardware token, but we
really don't know what exactly to use,and don't want to be on the bleeding
edge here.

> As a starter:
> "no-autostart" in common.conf on the build box, gpg-card with "verify"
> to unlock keys on the desktop for remote use by the build process
> (Authenticode), and some keywords in the private key files
> (Use-for-p11, Use-for-ssh).

> To create keys, use gpg-card which can easily be scripted. Examples:

> $ gpg-card list D2760001240100000006154932830000 \ -- yubikey
> disable nfc all \ -- yubikey disable usb otp u2f piv oath fido2 \ --
> yubikey list OTP no no U2F no no OPGP yes no PIV no no OATH no no FIDO2
> no no

> $ gpg-card [...] gpg/card> help generate GENERATE [--force]
> [--algo=ALGO{+ALGO2}] KEYREF

> Create a new key on a card. Use --force to overwrite an existing
> key. Use "help" for ALGO to get a list of known algorithms. For
> OpenPGP cards several algos may be given. Note that the OpenPGP key
> generation is done interactively unless a single ALGO or KEYREF are
> given. [Supported by: OpenPGP, PIV]

Thank you.
Which model of Yubikey are you using?

On Fri, Jul 7, 2023 at 2:54?PM Werner Koch <wk@gnupg.org> wrote:
>
> On Fri, 7 Jul 2023 14:22, Juanjo said:
>
> > This works fine with a single Yubikey, but we wanted to have more than
> > one connected at the same time in order to batch-configure them and
> > even to try to use multiple SSH key authentication in specific target
>
> Most of the time I am using several Yubikeys and other smardcards. Some
> even remotely. For example I use an SSH connection with socket
> forwarding to out build server. Over that connection I provide access
> to an Authenticode token, my release key and ssh keys on tokens.
>
> I should eventually describe the environment. As a starter:
> "no-autostart" in common.conf on the build box, gpg-card with "verify"
> to unlock keys on the desktop for remote use by the build process
> (Authenticode), and some keywords in the private key files (Use-for-p11,
> Use-for-ssh).
>
> To create keys, use gpg-card which can easily be scripted. Examples:
>
> $ " list D2760001240100000006154932830000 \
> -- yubikey disable nfc all \
> -- yubikey disable usb otp u2f piv oath fido2 \
> -- yubikey list
> OTP no no
> U2F no no
> OPGP yes no
> PIV no no
> OATH no no
> FIDO2 no no

OK, we are currently using Yubico "ykman" to do this job, it's nice
that "gpg-card" can configure this natively.

There are other setting managed via "ykman" not provided by "gpg-card" :
* The number of PIN retry attempts: ykman openpgp access set-retries
* The touch policy: ykman openpgp keys set-touch

> $ gpg-card
> [...]
> gpg/card> help generate
> GENERATE [--force] [--algo=ALGO{+ALGO2}] KEYREF
>
> Create a new key on a card.
> Use --force to overwrite an existing key.
> Use "help" for ALGO to get a list of known algorithms.
> For OpenPGP cards several algos may be given.
> Note that the OpenPGP key generation is done interactively
> unless a single ALGO or KEYREF are given.
> [Supported by: OpenPGP, PIV]

According to gpg-card [1], only the LIST command accepts parameter [n]
to select a specific Yubikey (via card number --provided by "gpg-card
list --cards"--- or serial number).

But playing a little more with gpg-card (still version 2.3.3) I have
noticed that the LIST command "changes" the default card for the
following commands in the same invocations, so I can achieve my
initial goal:

$ gpg-card list D2760001240100000006154932830000 -- generate
$ gpg-card list D2760001240100000006154932830000 -- passwd pinref

where "pinref" is the numeric menu entry you use in interactive mode:

$ gpg-card
Reader ...........: Yubico YubiKey CCID 02 00
Card type ........: yubikey
Card firmware ....: 5.4.3
[...]

gpg/card> passwd
OpenPGP card no. XX YY ZZZ detected

1 - change the PIN
2 - unblock and set new a PIN
3 - change the Admin PIN
4 - set the Reset Code
Q - quit

Your selection? Q
gpg/card> Q

$

Unfortunately, "gpg-card" doesn't provide the "key-attr" command we
used to change from default rsa2048 to rsa4096.

Werner, thanks for your help, but I think we are going to use the
gnupg version shipped with AlmaLinux 9 and configure the Yubikey one
by one.

Regards,
Juanjo

> Salam-Shalom,
>
> Werner
>
> --
> The pioneers of a warless world are the youth that
> refuse military service. - A. Einstein

[1] https://gnupg.org/documentation/manuals/gnupg24/gpg-card.1.html

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Michael,

Am Freitag 07 Juli 2023 20:32:15 schrieb Michael Richardson:
>     > I should eventually describe the environment.
>
> Yes please.
> Could it go into a wiki page or something that people can comment on and/or
> amend?

feel free to open a page with the info that Werner has already given on
https://wiki.gnupg.org

Regards,
Bernhard

--
https://intevation.de/~bernhard   +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter

On Mon, Jul 10, 2023 at 3:54?PM Bernhard Reiter <bernhard@intevation.de> wrote:
>
> Michael,
>
> Am Freitag 07 Juli 2023 20:32:15 schrieb Michael Richardson:
> > > I should eventually describe the environment.
> >
> > Yes please.
> > Could it go into a wiki page or something that people can comment on and/or
> > amend?
>
> feel free to open a page with the info that Werner has already given on
> https://wiki.gnupg.org

This may be a good starting point: https://github.com/drduh/YubiKey-Guide

In fact, there I finally found how to set the default Yubikey used by
"gpg --card-edit" when you have multiple keys inserted (remember
AlmaLinux9, gnupg2-2.3.3-2.el9_0.x86_64):

$ ykman list
YubiKey 5 NFC (5.4.3) [CCID] Serial: 18137XXX
YubiKey 5 NFC (5.4.3) [CCID] Serial: 18137YYY
YubiKey 5 NFC (5.4.3) [CCID] Serial: 18137ZZZ
$
$ gpg --card-status | grep -E "^Reader|^Application ID|^Serial number"
Reader ...........: Yubico YubiKey CCID 03 00
Application ID ...: D276000124010000000618137XX0000
Serial number ....: 18137XXX
$
$ gpg --card-status all | grep -E "^Reader|^Application ID|^Serial number"
Reader ...........: Yubico YubiKey CCID 03 00
Application ID ...: D276000124010000000618137XXX0000
Serial number ....: 18137XXX
Reader ...........: Yubico YubiKey CCID 02 00
Application ID ...: D276000124010000000618137YYY0000
Serial number ....: 18137YY
Reader ...........: Yubico YubiKey CCID 00 00
Application ID ...: D276000124010000000618137ZZZ0000
Serial number ....: 18137ZZ
$
$
$ gpg-connect-agent 'SCD SERIALNO help' /bye
[...]
# SERIALNO [--demand=<serialno>] [--all] [<apptype>]
[...]
$
$ gpg-connect-agent 'scd serialno
--demand=D276000124010000000618137YYY0000' /bye
S SERIALNO D276000124010000000618137YYY0000
OK
$
$ gpg --card-status | grep -E "^Reader|^Application ID|^Serial number"
Reader ...........: Yubico YubiKey CCID 02 00
Application ID ...: D276000124010000000618137YYY0000
Serial number ....: 18137YYY
$
$ gpg --card-edit

Reader ...........: Yubico YubiKey CCID 02 00
Application ID ...: D276000124010000000618137YYY0000
Application type .: OpenPGP
Version ..........: 0.0
Manufacturer .....: Yubico
Serial number ....: 18137YYY
Name of cardholder: [not set]
Language prefs ...: [not set]
Salutation .......:
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: rsa4096 rsa4096 rsa4096
Max. PIN lengths .: 127 127 127
PIN retry counter : 5 5 5
Signature counter : 4
KDF setting ......: on
UIF setting ......: Sign=on Decrypt=on Auth=on
Signature key ....: ABCD 1234 ....
created ....: 2023-07-14 07:48:45
Encryption key....: ABCD 1234 ....
created ....: 2023-07-14 07:48:45
Authentication key: ABCD 1234 ....
created ....: 2023-07-14 07:48:45
General key info..:
pub rsa4096/...
card-no: 0006 18137YYY
card-no: 0006 18137YYY
card-no: 0006 18137YYY

gpg/card> admin
Admin commands are allowed

gpg/card> generate
Make off-card backup of encryption key? (Y/n) n
[...]

>
> Regards,
> Bernhard

Regards,
Juanjo

> --
> https://intevation.de/~bernhard +49 541 33 508 3-3
> Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
> Geschäftsführer Frank Koormann, Bernhard Reiter
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> https://lists.gnupg.org/mailman/listinfo/gnupg-users

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Juanjo via Gnupg-users <gnupg-users@gnupg.org> wrote:
>> should eventually describe the environment.
>> >
>> > Yes please. > Could it go into a wiki page or something that people
>> can comment on and/or > amend?
>>
>> feel free to open a page with the info that Werner has already given
>> on https://wiki.gnupg.org

> This may be a good starting point:
> https://github.com/drduh/YubiKey-Guide

"Keys stored on YubiKey are non-exportable (as opposed to file-based keys
that are stored on disk) and are convenient for everyday use. "

In my case, I want the same key on multiple devices, which 3 to 5 core
members of an open source project will hold.
(I am also considering if we want a higher security key which would be secret
split across those keys, but we aren't building a CA here, but..)

Is that possible with these devices?

In some cases keys can be transfered in an encrypted form for another device,
but not recovered by outsiders.

On Sat, Jul 15, 2023 at 9:36?PM Michael Richardson <mcr@sandelman.ca> wrote:
>
>
> Juanjo via Gnupg-users <gnupg-users@gnupg.org> wrote:
> >> should eventually describe the environment.
> >> >
> >> > Yes please. > Could it go into a wiki page or something that people
> >> can comment on and/or > amend?
> >>
> >> feel free to open a page with the info that Werner has already given
> >> on https://wiki.gnupg.org
>
> > This may be a good starting point:
> > https://github.com/drduh/YubiKey-Guide
>
> "Keys stored on YubiKey are non-exportable (as opposed to file-based keys
> that are stored on disk) and are convenient for everyday use. "
>
> In my case, I want the same key on multiple devices, which 3 to 5 core
> members of an open source project will hold.
> (I am also considering if we want a higher security key which would be secret
> split across those keys, but we aren't building a CA here, but..)
>
> Is that possible with these devices?
>
> In some cases keys can be transfered in an encrypted form for another device,
> but not recovered by outsiders.

We use keys generated into the yubikey, but I think the wiki
YubiKey-Guide in my previous e-mail just covers your use case:
generate GPG keys outside the Yubikey, backup them, and then transfer
the generated keys to a single or multiple Yubikeys.

Regards,
Juanjo

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

On 15 Jul 2023, at 20:36, Michael Richardson <mcr@sandelman.ca> wrote:
>
> Juanjo via Gnupg-users <gnupg-users@gnupg.org> wrote:
>
>> This may be a good starting point:
>> https://github.com/drduh/YubiKey-Guide
>
> "Keys stored on YubiKey are non-exportable (as opposed to file-based keys
> that are stored on disk) and are convenient for everyday use. "
>
> In my case, I want the same key on multiple devices, which 3 to 5 core
> members of an open source project will hold.
> (I am also considering if we want a higher security key which would be secret
> split across those keys, but we aren't building a CA here, but..)
>
> Is that possible with these devices?
>
> In some cases keys can be transfered in an encrypted form for another device,
> but not recovered by outsiders.

This is not possible with a Yubikey. If you want the same (sub)keys on multiple devices you must generate them on your laptop and copy them to each device in turn, remembering not to delete until you’re done.

A

Andrew Gallagher <andrewg@andrewg.com> wrote:
>> Juanjo via Gnupg-users <gnupg-users@gnupg.org> wrote:
>>
>>> This may be a good starting point:
>>> https://github.com/drduh/YubiKey-Guide
>>
>> "Keys stored on YubiKey are non-exportable (as opposed to file-based
>> keys that are stored on disk) and are convenient for everyday use. "
>>
>> In my case, I want the same key on multiple devices, which 3 to 5 core
>> members of an open source project will hold. (I am also considering
>> if we want a higher security key which would be secret split across
>> those keys, but we aren't building a CA here, but..)
>>
>> Is that possible with these devices?
>>
>> In some cases keys can be transfered in an encrypted form for another
>> device, but not recovered by outsiders.

> This is not possible with a Yubikey. If you want the same (sub)keys on
> multiple devices you must generate them on your laptop and copy them to
> each device in turn, remembering not to delete until you’re done.

okay, so in this case we are using the Yubikey only as a storage, equivalent
essentially to a USB storage? Or does it still do crypto on the device?

--
Michael Richardson <mcr+IETF@sandelman.ca> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide

On 17 Jul 2023, at 18:36, Michael Richardson <mcr+ietf@sandelman.ca> wrote:
>
> Andrew Gallagher <andrewg@andrewg.com> wrote:
>>> Juanjo via Gnupg-users <gnupg-users@gnupg.org> wrote:
>>>
>>> "Keys stored on YubiKey are non-exportable (as opposed to file-based
>>> keys that are stored on disk) and are convenient for everyday use. "
>>>
>>> In my case, I want the same key on multiple devices, which 3 to 5 core
>>> members of an open source project will hold. (I am also considering
>>> if we want a higher security key which would be secret split across
>>> those keys, but we aren't building a CA here, but..)
>>>
>>> Is that possible with these devices?
>>>
>>> In some cases keys can be transfered in an encrypted form for another
>>> device, but not recovered by outsiders.
>
>> This is not possible with a Yubikey. If you want the same (sub)keys on
>> multiple devices you must generate them on your laptop and copy them to
>> each device in turn, remembering not to delete until you’re done.
>
> okay, so in this case we are using the Yubikey only as a storage, equivalent
> essentially to a USB storage? Or does it still do crypto on the device?

The yubikey performs cryptography on the device, but does have a small amount of flash memory to store the private key material. The yubikey does not provide any method to copy the private key material back off that storage, it can only be overwritten or used by the yubikey’s own processor.

A

Andrew Gallagher <andrewg@andrewg.com> wrote:
> The yubikey performs cryptography on the device, but does have a small
> amount of flash memory to store the private key material. The yubikey
> does not provide any method to copy the private key material back off
> that storage, it can only be overwritten or used by the yubikey’s own
> processor.

So I can generate the key on laptop, copy it to multiple yubikey, and do the
crypto on the device, and the yubikey won't let the private key out again.
Once I destroy the copy on my laptop, them I'm good.

On 20.07.2023 kl. 03.47 Michael Richardson wrote:
>
> Andrew Gallagher <andrewg@andrewg.com> wrote: The yubikey
> > does not provide any method to copy the private key material back off
> > that storage..
>
> So I can generate the key on laptop, copy it to multiple yubikey, and do the
> crypto on the device, and the yubikey won't let the private key out again.
> Once I destroy the copy on my laptop, them I'm good.

Right, although I would recommend to copy key onto two keys, in case you
loose your primary key or it breaks for some reason.

Another possibility is to keep the "generator pc" on a safe place.

--
Klaus

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

On Mon, 10 Jul 2023 10:48, Juanjo said:

> There are other setting managed via "ykman" not provided by "gpg-card" :
> * The number of PIN retry attempts: ykman openpgp access set-retries
> * The touch policy: ykman openpgp keys set-touch

Easy to add; do you want to file a feature request over at dev.gnupg.org
?

> Unfortunately, "gpg-card" doesn't provide the "key-attr" command we
> used to change from default rsa2048 to rsa4096.

You don't need it because this is now done on the fly (might require to
enter the Admin PIN twice, though). See also

gpg/card> help generate
GENERATE [--force] [--algo=ALGO{+ALGO2}] KEYREF

Create a new key on a card.
Use --force to overwrite an existing key.
Use "help" for ALGO to get a list of known algorithms.
For OpenPGP cards several algos may be given.
Note that the OpenPGP key generation is done interactively
unless a single ALGO or KEYREF are given.
[Supported by: OpenPGP, PIV]



Shalom-Salam,

Werner

--
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein