On Thu, 17 Dec 2009 11:27:53 +0100, marco+gn...@websource.ch wrote: > As I wrote in my posting I have tried to use this option but it does not > work. I added 'card-timeout 15' to my scdaemon.conf and nothing happens > 15 seconds after accessing the card. The card remains unlocked as long
Actually it should release the card immediatley after use. It is only a boolean switch for now. I forgot to mention that this feature is only available with pcsc and not with the internal driver. > 1. Couldn't gpg-agent reload scdaemon in the same way when > default/max-cache-ttl is exceeded? This would provide the same > functionality for unlocked smartcards as for cached passphrases, which > would make sense since both are affected by the same security risk > (agent hijacking). If you are talking about malware on your box, nothing will help you. You don't have any control anymore on your box. The only advantage you have is that the bot needs to wait until you enter the PIN the next time and then it can replay the PIN as needed. Oh, you are using a pinpad reader - well in this case the malware just et you sign something it is interested in and not what you assume. > 2. Couldn't scdaemon be configured to also access the signature key on > the card every time, even if only the authentication or encryption key > is needed? Then, entering the PIN would be required also every time for > e.g. ssh authentication (if the force-sig flag is set on the card). This > would basically provide the same functionality as 'card-timeout 1' > (provided that it works) without the trouble of powering down and up the Why would you want to do that? See above. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
