Page MenuHome GnuPG

ECC CSR gen from Yubikey
ClosedPublic

Mock History

Current Revision

Event Timeline

This screenshot looks like you clicked on "Schüssel erneuern". Why is the title "ECC CSR gen from Yubikey"?

What does "SCD GETATTR KEY-ATTR-INFO" give you? What "CARDTYPE" and "CARDVERSION" does "SCD LEARN --force" give you?

Yeah, well, then the generation of ECC keys for smart cards is a 2.4 feature. I have implemented what you suggested: https://dev.gnupg.org/T4429#162056
If this suggestion doesn't work with 2.2, then it doesn't work with 2.2.

Backported the needed stuff:

rG398cec3ac7ac6fe3bdc2f27334c3cc9da51ba938
rG2e39fed1091077c6b55b375c1755d06e199ee4e9
rG210ba983557bcbd09208aa5e488e04fda6c1a45f

For de-vs we should limit the capability to create non-compliant keys. This might have happened in Kleopatra already but needs to be checked.

Kleopatra doesn't have any restrictions when generating smart card keys. When generating OpenPGP certificates or CSRs off-card or from card keys, then in de-vs mode only RSA 3072, RSA 4096 or any supported curve (without any restrictions) can be chosen. Except for RSA 2048, Kleopatra doesn't know which algos are compliant or not compliant.

Given that there is now also a restriction for rsa2048 in de-vs mode, can you please also restrict all non-brainpool curves?