-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Sat, Dec 03, 2016 at 11:24:28AM -0800, Micah Lee wrote: > On 12/02/2016 06:50 PM, Leeteqxv wrote: > > Is it not possible to configure this to having the Yubikey require the > > person to press the key button manually/physically? > > If not, such a limitation would lie in the software rather than in the > > Yubikey, I assume, since the Yubikey support Challenge-Response and such > > already? If possible, it is definetely preferable to work around > > potential PIN theft and subsequent hidden (mis)use by requiring a > > manual/physical action. > > The problem here is that products that can be used as OpenPGP smart > cards, like the Yubikey, can't just make arbitrary features like > challenge-response for secret key operations. They need to implement the > OpenPGP specification so that all software that works with them (GnuPG, > OpenKeychain, others) can implement the same spec, and everything can just. > > The spec currently supports requiring a PIN to do secret key operations, > with rate limiting that makes too many invalid PIN guesses locks the > card. In order to support challenge-response as well I think the OpenPGP > smart card spec would need to get updated, which is a much longer > process that just writing some new software.
Some kind of OTP probably could be framed into PIN. Anyway, this does not solve much bigger problem, that is no protection of the data itself - - USB VM can intercept the communication and replace/capture what you want to sign/decrypt. If there is some protocol to use smartcard over the network, such protocol probably handle this problem. Not sure if it's possible to use it here, especially when limited to what Yubikey firmware supports... - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJYQyEoAAoJENuP0xzK19csNroH/1QEeJN2MwHbBTo+g3JlNsNZ MXs22kmz41evg7lKwwoAuA8/XihRppv0EBPUyEMMi1JmlGgd4Phlafok3rFmILnd cRG3NsV6Wv69/9aSbxfId6NEEjO5toKdt4DLhR5nVwVamFOCqgVGLxchGzRMMN8E JrhJ1mxn3w12AufFvtMF7jKXNIiY3REf6kVBjqUcsJmwnW1Tt4WJ+KS8IShCEaJm i7IfWggxlzKgo4rMXdK22m7G9uvncG6TAMZuonHu92pzuLDoU40iPdpEUmQJyKtF pibJExdgXHkJicl3j5kwHV0JOyNzgCQkId4fhsVxvexYeuvh9nRaUKwZN+wiAsw= =Nu+O -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20161203194648.GZ2130%40mail-itl. For more options, visit https://groups.google.com/d/optout.
