Re: Change OpenPGP Smartcard PIN retry counter

Wed, 19 Nov 2025 13:45:14 -0800 


On 11/19/25 4:04 PM, Borden via Gnupg-users wrote:
What's the control on this to stop a bad actor from stealing an > OpenPGP card and setting the reset count to 99999? I know you >
alluded to hardware implementation, but does the spec require the > level 2 password to change this, if it can?
Ah yes, sorry I forgot to mention it requires the Admin PIN a.k.a. PW3 to change the max attempts. 

Just to get my terminology straight:

PW1 (User PIN) - Used for signing and decryption operations
RC (Reset Code) - Only valid for resetting PW1 after reaching max attempts. PW3 can be used for this as well.
PW3 (Admin PIN) - Used for sensitive admin operations, such as changing the max attempts for PW1 (if supported).
I pulled most of this from section 4.3 of the specification available here: https://gnupg.org/ftp/specs/OpenPGP-smart-card-application-3.4.1.pdf 

Hope that helps!

--
Best,
Chandler Davis

Attachment: OpenPGP_0x00F83CBBF56EBE81.asc
Description: OpenPGP public key

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature



Attachment:
publickey - Chandler Davis - 0x806B3070.asc

Description: application/pgp-keys



Attachment:
signature.asc

Description: OpenPGP digital signature


_______________________________________________
Gnupg-users mailing list
[email protected]
https://lists.gnupg.org/mailman/listinfo/gnupg-users





























					Reply via email to