Il 20/02/2015 11:36, Jonathan Schleifer ha scritto: >> 1 - support for more keys (expired ENC keys, multiple signature keys) > And maybe for storing a certification key with a different PIN. Wasn't it covered by 2 - different PINs for different keys ? :)
>> 5 - possibility to export private keys to user-certified devices > That pretty much defeats the point of using a smart card in the first place. That's not "uncontrolled export", and in fact such a feature is implemented in HSMs to avoid unsafe key generation (outside the HSM itself) *and* the risk of key loss. The idea is that *before* creating/importing the master key, you set the policy, including the key ID (or IDs) that can ask for key export. Once the master key gets created, you no longer can alter the policy. The policy should be exported together with the key and override the existing one while importing a key (so that you "can't" alter -actually it's just "really hard", but doing that should invalidate signatures on your master key!- the policy by exporting from a device and importing on another). >> 6 - like in Yubikey NEO, a physical button to authorize some operations >> can be useful (certification, signature, NFC PIN-less auth) > That would be a pretty useful thing, but require you to trust the card > reader. This, however, would really make sense on the Gnuk and I guess > you could even do that without changing the spec. Nope. it's possible to have (at least I've seen one: my father does have it!) smartcards with small displays, keyboards (1-2 keys could be enough, but a full 4x3 keypad would be awesome!) and even batteries/solar panels! The form factor is not the real problem. The problem is that it's quite a close and secretive market, heavily relying on security by obscurity (when I asked Yubikey how to access the "user presence" key from a Java appled, they answered I'd have had to contact NXP and sign an NDA! So no need to trust the card reader :) BYtE, Diego. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
