Discussion:
various issues with using Fellowship smartcards
Daniel Pocock
2013-06-17 09:52:47 UTC
Permalink
Some time ago there was some discussion about the fellowship smartcard
and 4096 bit keys. I understand that most of the recent cards that say
they support 3072 actually support 4096.

Debian 7 now includes gnupg v2.0.19, so it supports 4096 as well

The SPR532 pinpad card reader was recommended by Martin, I notice it is
superseded by the SPR332. However, the SPR332 is not on the supported
list here:
http://wiki.debian.org/Smartcards

and I also found comments suggesting that pinpad support used to be
problematic, but that was 2005:
http://lists.gnupg.org/pipermail/gnupg-users/2005-June/026082.html

and this email says it works, but doesn't specifically reference the pinpad:
http://lists.gnupg.org/pipermail/gnupg-users/2013-February/046054.html

and it's not clear whether that means it works just for GnuPG or
potentially for other applications too (e.g. Iceweasel/Firefox, Java)

I also had another look at the fellowship page:
http://fellowship.fsfe.org/card.html

and it mentions that the card supports three keys: but from what I've
read elsewhere, it appears to only support three 1024 bit keys, or just
one 4096 bit key. What does this mean in practice: can a single 4096
bit key be used for all purposes (signing, encryption and ssh) or is it
necessary to have three separate cards for each of those subkeys?
Heiki "Repentinus" Ojasild
2013-06-17 11:12:46 UTC
Permalink
Dear Daniel,
Post by Daniel Pocock
and it mentions that the card supports three keys: but from what I've
read elsewhere, it appears to only support three 1024 bit keys, or just
one 4096 bit key. What does this mean in practice: can a single 4096
bit key be used for all purposes (signing, encryption and ssh) or is it
necessary to have three separate cards for each of those subkeys?
I am not sure whether the card supports assigning multiple uses to a
single key; however, I have been able to create 3 4096-bit keys on the
card. I have used the signing and encryption keys and those definitely
work. Unfortunately, I had problems with one card reader that worked
fine with 2048-bit keys (Akasa AK-CR-03BK External Electronic ID and
Smart Card Reader). Fortunately, Omnikey 1021 works fine for me. Neither
of those has a separate pin pad, though.

Regarding 1024-bit keys support only? This applied to OpenPGP version 1
smartcards. As far as I know, these are no longer distributed to
Fellows, so no need to worry about that.


Cheers,
--
Heiki "Repentinus" Ojasild
FSFE Fellowship Representative
mailto:repentinus at fsfe.org
xmpp:repentinus at jabber.fsfe.org
http://blogs.fsfe.org/repentinus/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <http://mail.fsfeurope.org/pipermail/discussion/attachments/20130617/b97551c8/attachment.pgp>
Daniel Pocock
2013-06-17 13:14:13 UTC
Permalink
Post by Heiki &quot;Repentinus&quot; Ojasild
Dear Daniel,
Post by Daniel Pocock
and it mentions that the card supports three keys: but from what I've
read elsewhere, it appears to only support three 1024 bit keys, or just
one 4096 bit key. What does this mean in practice: can a single 4096
bit key be used for all purposes (signing, encryption and ssh) or is it
necessary to have three separate cards for each of those subkeys?
I am not sure whether the card supports assigning multiple uses to a
single key; however, I have been able to create 3 4096-bit keys on the
card. I have used the signing and encryption keys and those definitely
OK, so this feature list may be about older cards or it may not be
written clearly:
http://wiki.debian.org/Smartcards/OpenPGP#Features

When I saw that, it gave me the impression the card supports either (3 x
1024 keys) or (1 x bigger key)
Post by Heiki &quot;Repentinus&quot; Ojasild
work. Unfortunately, I had problems with one card reader that worked
fine with 2048-bit keys (Akasa AK-CR-03BK External Electronic ID and
Smart Card Reader). Fortunately, Omnikey 1021 works fine for me. Neither
of those has a separate pin pad, though.
Ok, this leaves me feeling that a much more detailed support matrix (or
maybe even a database) may be needed to help people choose their optimal
combination of reader + card + key size + software

For example, I would prefer to use 2048 bit keys for the moment if that
gives me wider support for card readers and software versions while
other users may prefer to only use 4096 bit keys and just focus on a
shortlist of hardware that supports such keys and quickly see a list of
any software limitations that will apply to them.
Post by Heiki &quot;Repentinus&quot; Ojasild
Regarding 1024-bit keys support only? This applied to OpenPGP version 1
smartcards. As far as I know, these are no longer distributed to
Fellows, so no need to worry about that.
I've definitely got the newer card, I was just concerned about the
ambiguity of how many big keys I can put on the card.

Loading...