various issues with using Fellowship smartcards

Daniel Pocock daniel at pocock.com.au
Mon Jun 17 13:14:13 UTC 2013


On 17/06/13 13:12, Heiki "Repentinus" Ojasild wrote:
> Dear Daniel,
>
> On 17/06/13 09:52, Daniel Pocock wrote:
>> and it mentions that the card supports three keys: but from what I've
>> read elsewhere, it appears to only support three 1024 bit keys, or just
>> one 4096 bit key.  What does this mean in practice: can a single 4096
>> bit key be used for all purposes (signing, encryption and ssh) or is it
>> necessary to have three separate cards for each of those subkeys?
> I am not sure whether the card supports assigning multiple uses to a
> single key; however, I have been able to create 3 4096-bit keys on the
> card. I have used the signing and encryption keys and those definitely

OK, so this feature list may be about older cards or it may not be
written clearly:
http://wiki.debian.org/Smartcards/OpenPGP#Features

When I saw that, it gave me the impression the card supports either (3 x
1024 keys) or (1 x bigger key)



> work. Unfortunately, I had problems with one card reader that worked
> fine with 2048-bit keys (Akasa AK-CR-03BK External Electronic ID and
> Smart Card Reader). Fortunately, Omnikey 1021 works fine for me. Neither
> of those has a separate pin pad, though.

Ok, this leaves me feeling that a much more detailed support matrix (or
maybe even a database) may be needed to help people choose their optimal
combination of reader + card + key size + software

For example, I would prefer to use 2048 bit keys for the moment if that
gives me wider support for card readers and software versions while
other users may prefer to only use 4096 bit keys and just focus on a
shortlist of hardware that supports such keys and quickly see a list of
any software limitations that will apply to them.

> Regarding 1024-bit keys support only… This applied to OpenPGP version 1
> smartcards. As far as I know, these are no longer distributed to
> Fellows, so no need to worry about that.

I've definitely got the newer card, I was just concerned about the
ambiguity of how many big keys I can put on the card.





More information about the Discussion mailing list