[Gnuk-users] Storing Certification Key on Gnuk?

[NIIBE Yutaka]

On 02/16/2015 02:55 AM, Jonathan Schleifer wrote:
> However, the Gnuk only offers me to store a signing key (which is a
> separate subkey for me and not the main key), an encryption key and
> an authentication key.

That's the limitation of OpenPGPcard specification.  Only three
specific keys.

I think that you can put certification only key to Gnuk Token, but
then, you can't store signing only key to the same token, because the
slot is only one.  And I don't know well, if such a usage is well
supported by GnuPG.


I know that it's a kind of arbitrary limitation with the background of
smartcard industry.  I would understand Diego's point to prefer no
arbitrary limitations.

However, it is also true that we can optimize an implementation given
such a limitation.  ... and an assessment of risks would be easier if
we had such a limitation.  Thus, (if it's not me who were accused ;-),
I'd rather want to take advantage of such a limitation.

We have a physical hardware limit of 20KiB RAM of STM32F103, and I
think that it's the main factor for Gnuk.  When all three keys are
loaded into RAM, memory pressure is high.

Well, I know the saying:

    Put all your eggs in the one basket and -- WATCH THAT BASKET.

For your private keys, my position is against this saying.  At least
in finance, exactly opposite is recommended.  YMMV.

P.S.
GnuPG development and its community is mainly in Europe and U.S.,
while Gnuk development is in Japan.  FST-01 is manufactured by a
Chinese company using the MCU by an European company.  This is my
intended structure, sort of.

P.P.S.
Well, occasionally, I need to learn the difference of cultures.  You
see, we are entering the season of Chinese New Year.  For ten days,
FST-01 is not available now.  You can order, but you have to wait the
shipment until the end of the next week.
--