On 5/10/2011 1:35 AM, Jerome Baum wrote: > On Tue, May 10, 2011 at 07:30, Grant Olson <k...@grant-olson.net > <mailto:k...@grant-olson.net>> wrote: > > But there's no way to prove that the keys were originally generated > on-card, and weren't imported from a software private key where there > was never a separate master certification key. > > > AFAIK, the CAs over here will just supply a card. There is no question > of whether the key is generated on-card or not -- the CA confirms this > implicitly with their certification of "this is a valid signing key per > applicable signature laws". >
Okay, yeah, if the CA sets up the card, authenticates it with their signing key, and ships it to you, then there would never be a separate master key, no problem there. I get the feeling the card won't like it if you try to create a software signing key, but I'm not sure how that will work. I do have a spare card here if you want me to test this. -- Grant
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users