Hash: SHA256

On Sat, Dec 03, 2016 at 11:24:28AM -0800, Micah Lee wrote:
> On 12/02/2016 06:50 PM, Leeteqxv wrote:
> > Is it not possible to configure this to having the Yubikey require the
> > person to press the key button manually/physically?
> > If not, such a limitation would lie in the software rather than in the
> > Yubikey, I assume, since the Yubikey support Challenge-Response and such
> > already? If possible, it is definetely preferable to work around
> > potential PIN theft and subsequent hidden (mis)use by requiring a
> > manual/physical action.
> The problem here is that products that can be used as OpenPGP smart
> cards, like the Yubikey, can't just make arbitrary features like
> challenge-response for secret key operations. They need to implement the
> OpenPGP specification so that all software that works with them (GnuPG,
> OpenKeychain, others) can implement the same spec, and everything can just.
> The spec currently supports requiring a PIN to do secret key operations,
> with rate limiting that makes too many invalid PIN guesses locks the
> card. In order to support challenge-response as well I think the OpenPGP
> smart card spec would need to get updated, which is a much longer
> process that just writing some new software.

Some kind of OTP probably could be framed into PIN. Anyway, this does
not solve much bigger problem, that is no protection of the data itself
- - USB VM can intercept the communication and replace/capture what you
want to sign/decrypt.
If there is some protocol to use smartcard over the network, such
protocol probably handle this problem. Not sure if it's possible to use
it here, especially when limited to what Yubikey firmware supports...

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
Version: GnuPG v2


You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
For more options, visit https://groups.google.com/d/optout.

Reply via email to