On mar., 2012-11-06 at 11:21 +0100, Werner Koch wrote: > On Tue, 6 Nov 2012 10:24, cor...@debian.org said: > > > For gnupg2 maintainers: this is about an issue with gnupg2 not beeing > > able to decrypt stuff encrypted for 4096b keys on OpenPGP smartcards. > > If you look at the back of the cards you will notice a limit of 3072 > ;-).
Indeed :) > To stop people complaining about it I eventually lifted this limit > in 2.1.0beta3 (2011-12-20): > > * Allow generation of card keys up to 4096 bit. And this was also backported in 2.0.18. > > I never confirmed that encryption will work. In fact, the major problem > we have with keys > 2048 ist that some readers (or on Windows their > drivers) seem not to work correctly related to the BWT extension > request; or due to libusb problems. Yeah, and I noticed that we need readers with extended apdu support too. Having a clear view of what the issues are and if they are fixable would help indeed. I have to admit I was really happily surprised when I see how easy it was to make stuff work with the openpgp smartcard (especially considering the pkcs11 world), when using 2048 keys. > > > As it adds a --more argument to one command, but still support the > > previous usages I guess it shouldn't break other applications. And > > This changes the API of scdaemon and should thus not be applied without > checking back with me. Yes, that's why I added you to CC. I guess it's not an invasive solution, but adding it to Debian if a different fix is committed upstream is a bad idea. > I am working on a similar solution for master > but I have currently problems to generate any card key (maybe libusb > problem on Sid). I am looking into the latter right now. Stay tuned. Hmh, I didn't have any problem generating keys on-card nor moving keys to card on Debian sid. The only thing I needed to check is to use /usr/bin/gpg2 and not /usr/bin/gpg, since /u/b/gpg is unfortunately 1.4.12. Regards, -- Yves-Alexis -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
