On 09/14/2015 01:30 AM, perillamint wrote: > Yes. I generated single key with Signing Certification Encryption > Authorization ablity. > > If it is not supported by GnuPG, Re-generating key with Signing > Certification Encryption key (It's GnuPG default. I think..) and adding > subkey with Authorization (for SSH auth) can be a solution?
Let me answer a point by a point. Firstly, let me check about the support situation of GnuPG about this specific usage of same key on smartcard for singing, decryption, and authentication. I'm sure that current code of GnuPG 2.1.x doesn't support the usage of same key on smartcard. In my opinion, OpenPGPcard specification doesn't encourage users to do this specific usage, too. In GnuPG 2.1.x, access by gpg-agent to scdaemon is done with KEYID of "OPENPGP.1", "OPENPGP.2", or "OPENPGP.3" (see the function ask_for_card in gnupg/agent/divert-scd.c), by accessing <KEYGRIP>.key file under ~/.gnupg/private-keys-v1.d. I think that this situation is same in GnuPG 2.0.x. In GnuPG 1.4.x (when configured with no agent), access is done with SERIALNO. IIUC, it is possible for GnuPG 1.4.x to allow the usage of same key on smartcard. Setup of this specific usage requires quite a cumbersome interactions, I believe. It requires multiple invocations of 'gpg --edit-key', invocation of subcommand of 'keytocard' and then, quit without saving. Secondly, GnuPG's default key generation is generating primary key and encryption subkey. Primary key has capability of Signing (to message) and Certification (signing to key), while the subkey of encryption has capability of Encryption. IIUC, this was because of historic reason originally, but, it makes sense too (since usage (especially revocation) is different and key life-time would be different). And then, if you need, you can add Authentication subkey (for SSH) by 'gpg --edit-key' and invoking subcommand addkey (specifying the Authentication capability). If you don't have enough reason to use a single key material for multiple slots of smartcard, it is recommended to follow the default. -- _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
