[pkg-gnupg-maint] Bug#864788: Bug#864788: Bug#864788: cache TTL values ignored for smartcard PINs
Werner Koch
wk at gnupg.org
Thu Jun 15 19:40:28 UTC 2017
On Thu, 15 Jun 2017 17:43, dkg at fifthhorseman.net said:
> I believe that killing gpg-agent kills scdaemon, which de-initializes
> the smartcard on shutdown, which takes it out of authenticated mode.
Right the smartcard is power-cycled and thus it clears all its transient
state.
> on whether that's feasible or not. it would be nice to have the
> semantics of the cache ttl be the same, regardless of whether a key is
> stored on a smartcard or not.
The properties of a smartcard and an on-disk key are very different. In
fact a smartcard should be considered another gpg-agent to which
gpg-agent delegates its operation. The properties of the smartcard are
controlled by the card; for example an OpenPGP card can be configured to
require a PIN for each signing operation. Other types of smartcards
have different conditions for example cards for quailified signatures
allow only a cewrtain number of signatures before a PIN needs to be
re-entered as well as more complicated schemes. Using the
passphrase TTL also for a card does not really match.
A workaround is to force a reset of the card by putting
card-timeout N
in scdaemon.conf which shuts down the card after N seconds. Well, as of
now N is just a binary flag to tell sdaemon to shutdown the card at the
next timer tick; thus immediately after an operation.
Salam-Shalom,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20170615/6ae2ade9/attachment.sig>
More information about the pkg-gnupg-maint
mailing list