On Thu, 15 Jun 2017 17:43, d...@fifthhorseman.net said: > I believe that killing gpg-agent kills scdaemon, which de-initializes > the smartcard on shutdown, which takes it out of authenticated mode.
Right the smartcard is power-cycled and thus it clears all its transient state. > on whether that's feasible or not. it would be nice to have the > semantics of the cache ttl be the same, regardless of whether a key is > stored on a smartcard or not. The properties of a smartcard and an on-disk key are very different. In fact a smartcard should be considered another gpg-agent to which gpg-agent delegates its operation. The properties of the smartcard are controlled by the card; for example an OpenPGP card can be configured to require a PIN for each signing operation. Other types of smartcards have different conditions for example cards for quailified signatures allow only a cewrtain number of signatures before a PIN needs to be re-entered as well as more complicated schemes. Using the passphrase TTL also for a card does not really match. A workaround is to force a reset of the card by putting card-timeout N in scdaemon.conf which shuts down the card after N seconds. Well, as of now N is just a binary flag to tell sdaemon to shutdown the card at the next timer tick; thus immediately after an operation. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
pgpwnqfmacdKZ.pgp
Description: PGP signature