Page MenuHome GnuPG

Store the ECDH parameters in the key file
Open, NormalPublic


With T6378 we fixed how to write keys to an OpenPGP card. However, it is still not always possible to re-create an ECDH OpenPGP key without known the ECDH parameters. They are mostly fixed but different GnuPG versions used at least 2 different ones. Thus we should handle them similar to the creation date and store the parameters in the key file

Event Timeline

werner triaged this task as Normal priority.Apr 21 2023, 3:12 PM
werner created this task.

Considering the design of gpg-agent which focuses on private key operations and data, it would be better to enhance the gpg-agent protocol to inquire public key data of any format defined by the client (including ECDH KDF parameters of OpenPGP). I mean, instead of storing data in the key file (originally designed for private key + some additional data), we will enhance the protocol.

Currently, the situations where the parameters is needed are:

  • to compute fingerprint of OpenPGP for card key

In future, when/if we adopts KEM API for PKDECRYPT operation, it will be also needed:

  • to execute PKDECRYPT operation

We already have the ECDH parameters for OpenPGP in the gpg-agent API. The question is how large the data for PQC will be - likely we need to use an inquire already for this reason.

It's true that for KEYTOCARD command, there is optional argument for ECDH.
My point is that for PKDECRYPT command, it will be needed to add mechanism for getting such a parameter (when we use KEM API in gpg-agent).