(from the first mail) > I was able to successfully create a private key with stubs pointing to > both cards as follows
Yes, that is how I ended up doing it back when I started using the same setup years ago (two smartcards, certifying key on one, signing on another). Only shortly ago, I got the impression from someone's mail to gnupg-users that GnuPG these days did it as we both expected it would do: upon inserting the second smartcard, replace the dummy S2K stubs with divert-to-card S2K's for the second card. Apparently it does not... Once GnuPG has a secret key, I think it won't update it with new data. It didn't use to AFAIK, and apparently still doesn't. Somebody else recently tried exporting and importing a new subkey, and the import didn't work either. I just thought of that thread and replied to it as well. > As my programming abilities are not sufficient to make a patch to > change this behavior, I'd be happy to offer a financial contribution > if someone with more skill were to give it a shot. I commend your spirit. Werner Koch does paid feature development for GnuPG as well, although I am in no position to judge whether your financial contribution can pay for the whole feature. I'm also willing to contribute, but don't hold your breath over the amount of money ;). I've offered payment for a feature before, can't exactly remember what right now, but it was worth to me more than this particular one. Come to think of it, I've never seen any mention of people paying for features and/or features made possible by paying users. Perhaps an interesting subthread to spawn, if Werner is comfortable discussing it? Anyway, back to the topic: maybe there are situations where you don't want to update a secret key with new subkeys or new "key material" (let's consider a divert-to-card S2K as key material, and a dummy S2K as absence of it). But an option "--import-options update-secret-key" or something seems like a useful thing, and gives people the choice without resorting to gpgsplitting. Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at <http://digitalbrains.com/2012/openpgp-key-peter> _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
