With T6378 we fixed how to write keys to an OpenPGP card. However, it is still not always possible to re-create an ECDH OpenPGP key without known the ECDH parameters. They are mostly fixed but different GnuPG versions used at least 2 different ones. Thus we should handle them similar to the creation date and store the parameters in the key file
Description
Description
| Status | Assigned | Task | ||
|---|---|---|---|---|
| Resolved | • werner | T6378 keytocard: invalid value | ||
| Resolved | • werner | T6382 keytocard fails to import a nistp384 ECDSA key | ||
| Open | • werner | T6465 Store the ECDH parameters in the key file | ||
| Open | • werner | T6620 Add a way to extract ECC key parameters from a public key |
Event Timeline
Comment Actions
Considering the design of gpg-agent which focuses on private key operations and data, it would be better to enhance the gpg-agent protocol to inquire public key data of any format defined by the client (including ECDH KDF parameters of OpenPGP). I mean, instead of storing data in the key file (originally designed for private key + some additional data), we will enhance the protocol.
Currently, the situations where the parameters is needed are:
- to compute fingerprint of OpenPGP for card key
In future, when/if we adopts KEM API for PKDECRYPT operation, it will be also needed:
- to execute PKDECRYPT operation
Comment Actions
We already have the ECDH parameters for OpenPGP in the gpg-agent API. The question is how large the data for PQC will be - likely we need to use an inquire already for this reason.
Comment Actions
It's true that for KEYTOCARD command, there is optional argument for ECDH.
My point is that for PKDECRYPT command, it will be needed to add mechanism for getting such a parameter (when we use KEM API in gpg-agent).