[pkg-gnupg-maint] Bug#864788: Bug#864788: Bug#864788: cache TTL values ignored for smartcard PINs

Werner Koch wk at gnupg.org
Thu Jun 15 19:40:28 UTC 2017

On Thu, 15 Jun 2017 17:43, dkg at fifthhorseman.net said:

> I believe that killing gpg-agent kills scdaemon, which de-initializes
> the smartcard on shutdown, which takes it out of authenticated mode.

Right the smartcard is power-cycled and thus it clears all its transient

> on whether that's feasible or not.  it would be nice to have the
> semantics of the cache ttl be the same, regardless of whether a key is
> stored on a smartcard or not.

The properties of a smartcard and an on-disk key are very different.  In
fact a smartcard should be considered another gpg-agent to which
gpg-agent delegates its operation.  The properties of the smartcard are
controlled by the card; for example an OpenPGP card can be configured to
require a PIN for each signing operation.  Other types of smartcards
have different conditions for example cards for quailified signatures
allow only a cewrtain number of signatures before a PIN  needs to be
re-entered as well as more complicated schemes.  Using the
passphrase TTL also for a card does not really match.

A workaround is to force a reset of the card by putting

  card-timeout N

in scdaemon.conf which shuts down the card after N seconds.  Well, as of
now N is just a binary flag to tell sdaemon to shutdown the card at the
next timer tick; thus immediately after an operation.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20170615/6ae2ade9/attachment.sig>

More information about the pkg-gnupg-maint mailing list