On Fri, 16 Feb 2024 15:12, Mario Haustein said: > Is it likely that the `derive` check was just forgotten at this place? I > cannot judge the consequences of this change, which is the reason for asking
Well, not forgotten but I have never seen that used by cards. I'll check tomorrow whether I can see any problems with your suggestion. FWIW, in gpgsm we had a somewhat related problem with RSA cards: /* Telesec RSA cards produced for NRW in 2022 came with only the * keyAgreement bit set. This flag allows their use for encryption * anyway. Example cert: * Issuer: /CN=DOI CA 10a/OU=DOI/O=PKI-1-Verwaltung/C=DE * key usage: digitalSignature nonRepudiation keyAgreement * policies: 1.3.6.1.4.1.7924.1.1:N: */ #define COMPAT_ALLOW_KA_TO_ENCR 1 However, this was clearly wrong. Thanks for testing with the D-TRUST cards. I have had always problems working with the Bundesdruckerei ;-) Shalom-Salam, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein
openpgp-digital-signature.asc
Description: PGP signature
_______________________________________________ Gnupg-devel mailing list [email protected] https://lists.gnupg.org/mailman/listinfo/gnupg-devel
