[Pki-clean-room-devel] implementing smartcard functionality

[Jonathan McDowell]

On Thu, Jan 12, 2017 at 04:56:49PM -0800, Elizabeth Ferdman wrote:
> Another question-- when setting or changing user info and pins on the
> smartcard, are the admin/user pins and reset code entered on the reader
> or through the command line? Same question for doing keytocard -- does
> the user enter the admin pin after doing keytocard on the pinpad or
> through their keyboard?

It depends. My understanding is the pinpad reader support is relatively
recent; certainly my experience (these days with a GnuK, previously with
an OpenPGP v1 card) has been that the reader has no ability for the user
to enter a pin, so it is done via the command line or the pin-entry
prompt.

Forcing it to happen via a pinpad is obviously more secure, as it both
prevents malicious software sniffing the pin and also means that it's
impossible to use the card without physical action on the part of the
user - I know that there has been some discussion about at least adding
a button to the GnuK in order to confirm each time a signature is
requested.

I would prioritise the ability to enter the pins via the command line
rather than the reader, as this should work in all instances (and I
believe is still the more common case).

J.

-- 
... I am a passenger.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pki-clean-room-devel/attachments/20170120/6a0450e3/attachment.sig>