Gentoo Archives: gentoo-dev

From: Rich Freeman <rich0@g.o>
To: gentoo-dev <gentoo-dev@l.g.o>
Subject: Re: [gentoo-dev] Best way to create a GLEP 63 compliant GPG key on Nitrocard?
Date: Wed, 24 Apr 2019 14:19:27
In Reply to: Re: [gentoo-dev] Best way to create a GLEP 63 compliant GPG key on Nitrocard? by Marek Szuba
1 On Wed, Apr 24, 2019 at 10:01 AM Marek Szuba <marecki@g.o> wrote:
2 >
3 > On 2019-04-24 13:41, Rich Freeman wrote:
4 >
5 > > What is the recommended way to create an on-card key?
6 >
7 > I haven't got my NitroKey yet but between the specifications (which say
8 > NK2 can hold up to 3 private RSA keys) and my prior experience with
9 > OpenPGP smartcards (which have always had at most one slot each assigned
10 > to authentication, encryption and signing), chances are pretty high you
11 > cannot have two separate signing keys in hardware. If so, your best bet
12 > is probably to generate the primary key in software (preferably with
13 > usage bits stripped down so that it can ONLY be used for signing keys),
14 > generate hardware subkeys associated with it, then stash the private
15 > primary key away somewhere.
16 >
18 Well, in that case recommendations for how to generate a key that
19 complies in software would be helpful. There used to be a wiki
20 article on it, but it is marked with various warnings saying it isn't
21 recommended to follow it, and has seemingly vanished with a note that
22 it moved somewhere.
24 Aside from that, it seems a bit odd to issue devs Nitrokeys (at
25 significant expense to both the Foundation and a kind sponsor), then
26 require a key design that can't actually be stored on the Nitrokey. A
27 Nitrokey-generated key is going to be way more secure than the way 99%
28 of devs will actually implement what seems to be intended, which is to
29 just generate their keys on a regular online host, and probably just
30 leave it there.
32 If it is the case that Nitrokeys can't support a separate primary key,
33 I'd suggest modifying the GLEP to remove that requirement when a
34 smartcard is in use. Its main purpose is to keep a key component
35 offline, and if the key is generated on the card that is already
36 accomplished. Maybe somebody has a suggestion for how to make the two
37 work together, otherwise I'll go ahead and suggest a GLEP revision for
38 the next Council meeting.
40 --
41 Rich