Page MenuHome GnuPG

Draft: Kleopatra: Card personalization workflow
Open, WishlistPublic

Description

Currently initializing a card in VS-NfD mode with backup is pretty complicated.

  1. Generate a soft key
  2. Transfer each subkey to the card
  3. Set Admin PIN
  4. Set User PIN
  5. Set Reset Code
  6. Backup soft key
  7. Delete soft key
  8. Import public key of card
  9. Certify public key and send it to the AD

We should simplify this to a question of "Username, E-Mail, Backup storage folder, Certification key".
Alternatively to the Backup storage folder we could generate the keys on card.
Certification key could be something like: "checkbox certify key <certifying key selection>"

Then we should automatically generate the PINs and set them. As a result dialog we show the PINs, save the PINs to the Backup storage folder, and offer to "Print user Pins" which would create something like the trusted disk pinbrief. Which is just a PDF with the PIN / Reset code.

Event Timeline

aheinecke triaged this task as Wishlist priority.Aug 1 2022, 2:20 PM
aheinecke created this task.

As part of this the "Change Reset Code" button should be hidden in the general user interface.

aheinecke edited projects, added Restricted Project; removed g10code.Feb 17 2023, 3:25 PM

Oh this issue was in the wrong project. Related to T5836

I already commented in T5836 which should be discussed here, instead:

After discussing with Andre, I suggest a button in the details window for moving all subkeys of the key to the attached smart card.
The normal user is not interested in subkeys, probably does not know that there are subkeys, they want to move "the" key to the card.

After clicking that "move to card" button I would prefer that a backup would be offered first and after that the transfer and delete/not delete handled in a second window.

And also related is T6425 and T6420

For generate new keys we see four use cases

  1. Create card and backup card. -> Creates at least two cards with the same keys. Keys might be stored in ram: TODO: Add subtask
  2. Full backup of all keys - Allows for copied cards at a later time.
  3. Only backup encryption Key. - There is a backup of the encryption key on the computer.
  4. No backup - Keys will be generated on the card.
  • We need a restore ability to restore the backup keys to another smart card. Highest priority should have improved backup format and restore.

Regarding PIN, they should be set first.

  1. A temporary Admin / User PIN is be generated and stored in gpg-agent.
  2. Then the keys are created as mentioned above.
  3. The user is asked to set a new PIN and Admin PIN for the card.
  4. Optionally set a RESET CODE

I think we should separate this into two tasks:

  1. A function to copy a standard soft key (with the defaults generated in Kleopatra) to an empty smart card (into the default slots)
    • The action should be available in the certificate list as a (context) menu entry.
  2. A configurable, script like list of actions.
    • Actions could be "generate soft-key", "print paperkey", "copy key to card" (the previous functionality), "backup private key to ...", "send certificate to server", "delete private soft-key", "generate key on card"; in case smart cards that are rolled out: "generate certificate from private keys on card", "set smart card PIN/PUK"
ebo renamed this task from Kleopatra: Card personalization workflow to Draft: Kleopatra: Card personalization workflow.Nov 13 2024, 1:37 PM
ebo edited projects, added gpd5x; removed Restricted Project.