Re: gpg-agent unable to see yubikey until manually re-running `gpg --card-status`

2015-06-29 Thread Simon Josefsson 
"Lance R. Vick"  writes:

> I only ever tried this on 2.0.0 as far as older versions go, and that was
> similarly broken. I didn't bother documenting as I saw there were some
> smartcard updates in 2.1.4 so I upgraded.
>
> Just now had another variation (on 2.1.4):
>
> 1. start gpg-agent
> 2. populate SSH_AUTH_SOCK
> 3. ssh successfully
> 4. remove yubikey
> 5. insert yubikey
> 6. attempt to ssh -> "Permission Denied (Publickey)"
> 7. `gpg --card status` -> "no card present"
> 8. `gpg --card status` (again) -> Got usual card output
> 9. ssh successfully again

What mode is your YubiKey NEO in?  If it is in the OTP/CCID combo mode,
and you touch it, it will eject the CCID interface, issue an OTP, and
then re-insert itself to CCID after a small timeout.  Just an idea.

Can you always reproduce the above, or is it timing dependent?  Does the
problem occur if you wait 20 seconds before doing every step?

Being able to reproduce this on someone else's system would be a good
step towards fixing it.

/Simon

>
> On Thu, Jun 18, 2015 at 1:32 AM, Werner Koch  wrote:
>
>> On Wed, 17 Jun 2015 18:17, si...@josefsson.org said:
>>
>> > I've seen the error many times, also when I used a g10code smartcard,
>> > but lately things have been smooth.  I think there have been a couple of
>>
>> Old versions of GnuPG assumed that there is a card reader which can tell
>> you whether a card has been removed or inserted.  However USB tokens are
>> different in that you insert/remove the entire reader.  gniibe fixed
>> these problems some time ago.
>>
>>
>> Salam-Shalom,
>>
>>Werner
>>
>> --
>> Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
>>
>>
>> ___
>> Gnupg-users mailing list
>> Gnupg-users@gnupg.org
>> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>>


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Adding a subkey notation

2015-06-29 Thread Marko Božiković 
Hi,

I've looked for a way to add some sort of comments on subkeys - I'd like to
have multiple authentication subkeys and easily distinguish among them.

>From what I've read, notations seem to be the way to go, but I was unable to
find a way to set them on already existing subkeys...

In general, I haven't found a comprihensive documentation on notations
anywhere. Is there some kind of guide/best practices documentation for them?

Thank you,
-- 
Marko

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Adding a subkey notation

2015-06-29 Thread Daniel Kahn Gillmor 
On Mon 2015-06-29 11:33:35 -0400, Marko Božiković wrote:

> I've looked for a way to add some sort of comments on subkeys - I'd like to
> have multiple authentication subkeys and easily distinguish among them.

i've done this myself by clearing all the usage flags and using
--cert-notation.  But see the gnupg-devel thread from 2013 starting at
Message-Id: 87obeo2vg7@alice.fifthhorseman.net for some bugs i ran
into.   Hopefully they're all fixed by now, but external verification
would be welcome.

> From what I've read, notations seem to be the way to go, but I was unable to
> find a way to set them on already existing subkeys...

you generally don't want to change already-existing subkeys.  You can
just create a new subkey and set the notations on it.

> In general, I haven't found a comprihensive documentation on notations
> anywhere. Is there some kind of guide/best practices documentation for them?

https://tools.ietf.org/html/rfc4880#section-5.2.3.16

The IANA registry currently contains no entries:

https://www.iana.org/assignments/pgp-parameters/pgp-parameters.xhtml#pgp-parameters-6

--dkg

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users