[email protected] writes: > 1. It would remove the limitation of 3 key storage. Since different > second passphrase would generate different keys, effectively a single > device can manage an infinite number of keys (limited only by unique > second passphrases).
This is like the FIDO-approach: no storage requirement on the device except for possibly crypto-related incremental counters. It is quite orthogonal to the current GNUK design, but I think GNUK could be extended to support it: replace reading the encrypted key material with reading a blob from the machine together with a second passphrase and use some it together with a device-specific key to decrypt it before use. Reading the blob from the machine isn't critical: if storage is available, it can use blob from GNUK storage instead. The Tillitis Key -- https://tillitis.se/ -- follow this approach, and has Ed25519 signing for SSH working. It could be extended to support OpenPGP too under the FIDO-model. /Simon
signature.asc
Description: PGP signature
_______________________________________________ Gnuk-users mailing list [email protected] https://lists.gnupg.org/mailman/listinfo/gnuk-users
