[Gnuk-users] write certificate and other scripts
NIIBE Yutaka
gniibe at fsij.org
Wed Oct 26 23:51:57 UTC 2016
On 10/25/2016 09:53 PM, Jan Suhr | Nitrokey wrote:
> I noticed that Gnuk requires its own Python script to write a X.509
> certificate to the device.
Let me explain the situation. It is only offered as a compatibility
measure.
Gnuk doens't encourage use of X.509 certificate. It is a major
difficulty for OpenPGP card implementations, because of its size.
Because of the difficulty to be implemented (in card system), the
certificate data object cannot be accessed by standard write object,
in Gnuk.
It is also difficult for host system. If it works, you are lucky.
Some readers can't handle such a large size object.
Well, when I configure Gnuk, I disable the feature of X.509
certificate, because it's no use for me.
> GnuPG has the same functionality implemented
> but it doesn't work with Gnuk (at least not for me). Would it be
> possible in future Gnuk revisions to use GPG to write X.509 certificates?
No, I don't have an idea to modify GPG (just for Gnuk), because I
think the feature itself is questionable.
In GnuPG, the certificate on card is only used by gpgsm (in not much
useful way). Scute also uses it, but it is not mandatory; A
certificate on file system just works.
> Are there other scripts which "replace" GPG's functionality?
What do you mean? Incompatibility? If you mean intended
incompatibilities, the non-support of X.509 certificate data object is
the only one thing.
If you mean scrypting card access, see Python scripts in gnuk/tests/.
Err... it doesn't support X.509 certificate data object, either.
--
More information about the gnuk-users
mailing list