Re: South Africa On Lockdown - Coronavirus - Update!

[Mark Tinka]

On 24/Mar/20 22:48, Randy Bush wrote:

> almost all our cultures have gaps; but some worse than others.  we will
> all learn lessons in the coming many months of plague.  i know an office
> which lost key engineers last year because they would not let them work
> remotely.  now the entire company is working remotely, and successfully.

The Coronavirus is amplifying and accelerating the new economy that is
burgeoning at the borders.

With some luck, those that need to pay attention, are.

Mark.

Re: South Africa On Lockdown - Coronavirus - Update!

[Randy Bush]

> And like this short message about South Africa was highly useful for
> my country of residence, Lebanon, too. We are under full, quite severe
> lock-down, with fines, checkpoints and etc.
> Several ISPs here who kept NOC support (single person) near server
> room, in office - got fined too, as usual businesses, because there is
> no such regulation to allow them to run.

while i have visited, i claim zero understanding of your culture.  but
gossip from friends is that there is a larger than usual communication
gap between the internet industry and government.  and, as far as i have
been told, it is not for a lack of effort.  perhaps teh culture will
learn how critical the net is and what it needs to be maintained.

almost all our cultures have gaps; but some worse than others.  we will
all learn lessons in the coming many months of plague.  i know an office
which lost key engineers last year because they would not let them work
remotely.  now the entire company is working remotely, and successfully.

randy

Re: crypto frobs

[Rob Seastrom]

> On Mar 23, 2020, at 8:48 PM, William Herrin  wrote:

>> If they *do* steal both,
>> they can bruteforce the SSH passphrase, but after 5 tries of guessing
>> the Yubikey PIN it self-destructs.
> 
> What yubikey are you talking about? I have a password protecting my
> ssh key but the yubikeys I've used (including the FIPS version) spit
> out a string of characters when you touch them. No pin.

https://www.yubico.com/products/identifying-your-yubikey/ 


The (presumably) Yubico OTP/OATH/HOTP string from a Yubikey that you may have 
picked up six years ago on a lark  doesn’t even begin to scratch the surface.

The integration with FIDO2 in the low-end models in OpenSSH 8.2 in particular 
is very spiffy (and not to be confused with PIV or OpenPGP mode.

-r

Re: South Africa On Lockdown - Coronavirus - Update!

[Denys Fedoryshchenko]

On 2020-03-24 18:59, Randy Bush wrote:
He's a network operator. From North America, on the North American 
Network
Operators mailing list. Something you are not, so please stop spouting 
your

drivel on a list that has nothing to do with you.


this is not how we should act in under pressure

+1

NANOG very often inspired me and my friends as the best example of the 
discussion, process of solving various problems related to internet in 
general. And now everybody around the world got major, similar problem. 
And someone now says, go away from here, is this a maillist for North 
American operators? If this is really decision supported by the 
majority(which i doubt), i would like to know that.


For example, a reminder that the VPN is very poorly balanced over LAG - 
was very useful.


And like this short message about South Africa was highly useful for my 
country of residence, Lebanon, too. We are under full, quite severe 
lock-down, with fines, checkpoints and etc.
Several ISPs here who kept NOC support (single person) near server room, 
in office - got fined too, as usual businesses, because there is no such 
regulation to allow them to run. This is terrible, because in such 
circumstances ISP cannot continue to provide reliable service, and their 
customers without internet might not keep isolation.
Therefore, I carefully read this group, how everyone solves similar 
problems.
And this is why, how is it solved in North America or other countries or 
regions can be an example for other countries.

Re: South Africa On Lockdown - Coronavirus - Update!

[Mark Tinka]

On 24/Mar/20 02:10, Joshua D'Alton wrote:

>
> Are there any inklings of international co-operation with regards to
> "no foreigners" as per recently Australia and other nations, in terms
> of allowing in those engaged in telecommunications services where in
> some cases remote/local hands are not sufficient?

Well, lockdown basically means all civil aviation is shutdown, with the
exception of cargo transport.

But if you have infrastructure down here, you probably have local hands
that you can call on to support you, which is what I was relaying to
those it may concern.

At any rate, I'm not sure anyone should (or wants to) be traveling
anywhere at this time, national and international. But that's just me :-).

Mark

Re: free collaborative tools for low BW and losy connections

[Miles Fidelman]

It would be a lot MORE relevant if there were some actual tools listed & 
discussed!


Miles Fidelman

On 3/24/20 1:48 PM, Scott Weeks wrote:



Hello,

I was watching SDNOG and saw the below conversation recently.
Here is the relavant part:

"I think this is the concern of all of us, how to work from home and to
keep same productivity level,, we need collaborative tools to engaging
the team.  I am still searching for tool and apps that are free, 
tolerance

the poor internet speed."

I know of some free tools and all, but am not aware of the tolerance
they may have to slow speed and (likely) poor internet connections.

I was wondering if anyone here has experience with tools that'd work,
so I could suggest something to them.

I don't know if everyone's aware of what they have been going through
in Sudan (both of them), but it has been a rough life there recently.

Thanks!
scott





 Original Message 
Subject: [sdnog] How to work from home

Hi all
Hope you are all safe wherever you are,

Regards to the current situation around the world , and as we all
adviced/forced to start working from home which is not common here
in our community , and I know some bosses are not convinced unless
they saw you in your desk :D

my question is , for simple offices ,with no great infrastructure
, just an internet connection to their edge ,how can they work
from home ? Is there any free tools /ways they can use, what are
the options, with taking along the security concerns

what is your advice to achieve that in a proper way , and for
those who managed to work from home , how did you do that ?
Please share your experience ^_^


And how we as "sdnog community" can help in that "for the old
fashioned bosses :D"

--

From: "aseromeru...@hotmail.com" 

I think this is the concern of all of us, how to work from home
and to keep same productivity level,, we need collaborative tools
to engaging the team.
I am still searching for tool and apps that are free, tolerance
the poor internet speed.

Any suggestion


--
In theory, there is no difference between theory and practice.
In practice, there is.   Yogi Berra

Theory is when you know everything but nothing works.
Practice is when everything works but no one knows why.
In our lab, theory and practice are combined:
nothing works and no one knows why.  ... unknown

free collaborative tools for low BW and losy connections

[Scott Weeks]

Hello,I was watching SDNOG and saw the below conversation recently.  Here is the relavant part:"I
 think this is the concern of all of us, how to work from home and to 
keep same productivity level,, we need collaborative tools to engaging the team.  I am still searching for tool and apps that are free, tolerance the poor internet speed."I know of some free tools and all, but am not aware of the tolerancethey may have to slow speed and (likely) poor internet connections.I was wondering if anyone here has experience with tools that'd work, so I could suggest something to them.I don't know if everyone's aware of what they have been going throughin Sudan (both of them), but it has been a rough life there recently.Thanks!scott Original Message Subject: [sdnog] How to work from homeHi all Hope you are all safe wherever you are,Regards to the current situation around the world , and as we all adviced/forced to start working from home which is not common here in our community , and I know some bosses are not convinced unless they saw you in your desk :D my question is , for simple offices ,with no great infrastructure , just an internet connection to their edge ,how can they work from home ? Is there any free tools /ways  they can use,  what are the options, with taking along the security concernswhat is your advice to achieve that in a proper way , and for those who managed to work from home , how did you do that ? Please share your experience ^_^And how we as "sdnog community" can help in that "for the old fashioned bosses :D"--From: "aseromeru...@hotmail.com" I
 think this is the concern of all of us, how to work from home and to 
keep same productivity level,, we need collaborative tools to engaging 
the team.I am still searching for tool and apps that are free, tolerance the poor internet speed. Any suggestion 

Salesforce Peering / Network Engineer

[Louis D]

Hello Nanog,

If there is someone on list from Salesforce Network Engineering please
reply to me off list about an issue with reaching Salesforce the DE-CIX in
New York.


Thanks,
Lou

Re: South Africa On Lockdown - Coronavirus - Update!

[Joshua D'Alton]

On Tue, 24 Mar 2020 at 06:50, Mark Tinka  wrote:

> The details of the implementation of the dispensation may be nuanced.
> Experience will tell us more in the coming days.


Are there any inklings of international co-operation with regards to "no
foreigners" as per recently Australia and other nations, in terms of
allowing in those engaged in telecommunications services where in some
cases remote/local hands are not sufficient?

On Tue, 24 Mar 2020 at 10:54, Warren Kumari  wrote:

> a bunch of people got together and put their secureIDs in
> a grid under a webcam. That way they didn't need  to carry them with
> them - when they needed a token they would open the webcam page, and
> know that theirs was third down, and fourth across
>

Wow, update to post-it note password in the top drawer.. hilarious and sad

Re: South Africa On Lockdown - Coronavirus - Update!

[Tom Beecher]

Alexandre-

I do hope that you reconsider your decision to unsubscribe. Many of us post
massively uninformed bullshit here on a regular basis, myself included. I
don't think anything you have posted here rose to that curious standard.

Be well!

On Tue, Mar 24, 2020 at 11:47 AM Alexandre Petrescu <
alexandre.petre...@gmail.com> wrote:

> This is my last post on this email list.
>
> It is true - I am not a network operator.  In honesty I think I never
> claimed to be one.
>
> I do not understand the word 'spout'.
>
> You think this has nothing to do with me - I unsubscrbe.
>
> Sorry for disturbing,
>
> Alex, LF/HF 1
>
> Le 24/03/2020 à 14:47, Paul WALL a écrit :
>
>
> On Tue, Mar 24, 2020 at 6:22 AM Alexandre Petrescu <
> alexandre.petre...@gmail.com> wrote:
>
>>
>>
>> Mr. Morrow - where are you situated approximately?
>>
>>
> He's a network operator. From North America, on the North American Network
> Operators mailing list. Something you are not, so please stop spouting your
> drivel on a list that has nothing to do with you. This is a crisis, not a
> time for a European Project Proposer
>  to spout off massively uninformed
> bullshit non-stop because no one else will listen.
>
> NANOG-L mods: it's time to show some leadership.
>
>

Re: South Africa On Lockdown - Coronavirus - Update!

[Mark Tinka]

On 24/Mar/20 15:47, Paul WALL wrote:

>
> He's a network operator. From North America, on the North American
> Network Operators mailing list. Something you are not, so please stop
> spouting your drivel on a list that has nothing to do with you. This
> is a crisis, not a time for a European Project Proposer
>  to spout off massively
> uninformed bullshit non-stop because no one else will listen.

The Internet is the same version in Europe as it is in North America.
Breakage on either side of the pond will impact the other side.

Physical infrastructure is what separated the success of countries. The
Internet is the single biggest thing that levels the playing field,
globally.

Mark.

Re: interesting troubleshooting

[Brandon Martin]

On 3/20/20 5:57 PM, Jared Mauch wrote:
> It’s the protocol 50 IPSEC VPNs.  They are very sensitive to path changes and 
> reordering as well.

Is there a reason these are so sensitive to re-ordering or path changes?  ESP 
should just encap whatever is underneath it on a packet-by-packet basis and be 
relatively stateless on its own unless folks are super strictly enforcing 
sequence numbering (maybe this is common?).  I can understand that some of the 
underlying protocols in use, especially LAN protocols like SMB/CIFS, might not 
really like re-ordering or public-Internet-like jitter and delay changes, but 
that's going to be the case with any transparent VPN and is one of SMB/CIFS 
many flaws.

For LAGs where both endpoints are on the same gear (either the same box/chassis 
or a multi-chassis virtual setup where both planes are geographically local) 
and all links traverse the same path i.e. the LAG is purely for capacity, I've 
always wondered by round-robin isn't more common.  That will re-order by at 
worst the number of links in the LAG, and if the links are much faster and well 
utilized compared to the sub-flows, I'd expect the re-ordering to be minimal 
even then though I haven't done the math to show it and might be wrong.

I'd argue that any remote access VPN product that can't handle minor packet 
re-ordering is sufficiently flawed as to be useless.  Systems designed for very 
controlled deployment on a long-term point-to-point basis are perhaps excepted, 
here.
-- 
Brandon Martin

Re: South Africa On Lockdown - Coronavirus - Update!

[Randy Bush]

> He's a network operator. From North America, on the North American Network
> Operators mailing list. Something you are not, so please stop spouting your
> drivel on a list that has nothing to do with you.

this is not how we should act in under pressure

Re: South Africa On Lockdown - Coronavirus - Update!

[Alexandre Petrescu]

This is my last post on this email list.

It is true - I am not a network operator.  In honesty I think I never 
claimed to be one.


I do not understand the word 'spout'.

You think this has nothing to do with me - I unsubscrbe.

Sorry for disturbing,

Alex, LF/HF 1

Le 24/03/2020 à 14:47, Paul WALL a écrit :


On Tue, Mar 24, 2020 at 6:22 AM Alexandre Petrescu 
mailto:alexandre.petre...@gmail.com>> 
wrote:




Mr. Morrow - where are you situated approximately?


He's a network operator. From North America, on the North American 
Network Operators mailing list. Something you are not, so please stop 
spouting your drivel on a list that has nothing to do with you. This 
is a crisis, not a time for a European Project Proposer 
 to spout off massively 
uninformed bullshit non-stop because no one else will listen.


NANOG-L mods: it's time to show some leadership.

Re: crypto frobs

[John Kinsella]

To give it a mention, I’m a big fan of Duo Security. Auth requests are sent 
out-of-band to an authenticated app on your mobile device, you verify the 
request, then that’s sent back to the duo server and then to the requestor. 
I’ve used it with ssh and radius and it worked well.

Microsoft’s Authenticator app is interesting - a number is displayed in the app 
you’re trying to authenticate to, and you have to pick the same number in the 
app to prove before the app authenticates the request…but I don’t see that tech 
as being adopted by the networking folks...

In the end it comes down to what you need to secure, and how much effort you’re 
going to put into it. A yubikey/etc mitigates a risk of credential theft in a 
cheap, portable way that is frequently Good Enough.

John 

> On Mar 24, 2020, at 2:55 AM, John Covici  wrote:
> 
> How about a new technology I have heard about called sqrl.  See
> https://sqrl.grc.com for more information.  It overcomes a lot of the
> problems discussed here.
> 
> On Mon, 23 Mar 2020 22:22:18 -0400,
> Michael Loftis wrote:
>> 
>> [1  ]
>> On Mon, Mar 23, 2020 at 20:08 Michael Loftis  wrote:
>> 
>>> 
>>> 
>>> On Mon, Mar 23, 2020 at 18:50 William Herrin  wrote:
>>> 
 On Mon, Mar 23, 2020 at 5:16 PM Warren Kumari  wrote:
> Well, yes and no. With a Yubiikey the attacker  has to be local to
> physically touch the button[0] - with just an SSH key, anyone who gets
> access to the machine can take my key and use it. This puts it in the
> "something you have" (not something you are) camp.
 
 Hi Warren,
 
 They're both "something you have" factors. The yubi key proves
 possession better than the ssh key just like a long password proves
 what-you-know better than a 4-digit PIN. But the ssh key and the yubi
 key are still part of the same authentication factor.
 
 
> Not really -- if an attacker steals my laptop, they don't have the
> yubikey (unless I store it in the USB port).
 
 You make a habit of removing your yubi key from the laptop when nature
 calls? No you don't.
 
 
> If they *do* steal both,
> they can bruteforce the SSH passphrase, but after 5 tries of guessing
> the Yubikey PIN it self-destructs.
 
 What yubikey are you talking about? I have a password protecting my
 ssh key but the yubikeys I've used (including the FIPS version) spit
 out a string of characters when you touch them. No pin.
 
>>> 
>>> The yubikey does many things depending on how it’s configured. None of
>>> mine use the touch to spit out OTP mode, that is the factory mode though
>>> yes. Other modes can be password protected (it uses the PIN nomenclature
>>> which is confusing, it definitely accepts ASCII and nay even take binary
>>> data as a PIN depending on mode of operation) — it can present as industry
>>> standard smart card ( I have one with a pin/password for code signing in
>>> Visual Studio f/ex...along with a backup kept locked elsewhere)
>>> 
>> 
>> 
>> Replying to myself to clarify a bit... the PKI/SSL private keys are on the
>> Yubikey, password protected, signing is accomplished by VS passing the bits
>> to be signed to the smart card application on the yubikey, which requires a
>> password to enable/unlock. On the yubikey Depending on configuration this
>> is a just once operation typically. So each signing op requires a password
>> entry. But it could be configured diffferebtly. By only keeping the private
>> keys on the yubikey it’s something you have (the yubikey) and something you
>> know (the password)... the yubikey (barring software bugs obviously) will
>> not expose the private key, it only does the signing op.
>> 
>> That same yubikey has a separate app and trust store in OpenGPG mode, which
>> does signing for ssh pubkey auth, with a different private key. Same key
>> also does FIDO, another application with another key store.
>> 
>> The same key doing all that could also have a “long touch” to spit out an
>> OTP.
>> 
>> 
>> 
 Regards,
 Bill Herrin
 
 
 --
 William Herrin
 b...@herrin.us
 https://bill.herrin.us/
 
>>> --
>> 
>> "Genius might be described as a supreme capacity for getting its possessors
>> into trouble of all kinds."
>> -- Samuel Butler
>> [2  ]
> 
> -- 
> Your life is like a penny.  You're going to lose it.  The question is:
> How do
> you spend it?
> 
> John Covici wb2una
> cov...@ccs.covici.com

Re: South Africa On Lockdown - Coronavirus - Update!

[Mark Tinka]

So just to bring this back on-topic with an update - the South African
gubbermint have classified telecoms as an essential service.

Provided you possess the right authorization documentation, you can go
out and perform tasks that keep the bits moving.

Of course, local operators may have finer details about how all this
gets done without compromising health & safety for their staff, but for
those of you with infrastructure down this way, it's not doom and gloom
in our respect.

Mark.

Re: South Africa On Lockdown - Coronavirus - Update!

[Mark Tinka]

So just to bring this back on-topic with an update - the South African
gubbermint have classified telecoms as an essential service.

Provided you possess the right authorization documentation, you can go
out and perform tasks to that keep the bits moving.

Of course, local operators may have finer details about how all this
gets done without compromising health & safety for their staff, but for
those with infrastructure down this way, it's not doom and gloom in our
respect.

Mark.

Re: South Africa On Lockdown - Coronavirus - Update!

[Paul WALL]

On Tue, Mar 24, 2020 at 6:22 AM Alexandre Petrescu <
alexandre.petre...@gmail.com> wrote:

>
>
> Mr. Morrow - where are you situated approximately?
>
>
He's a network operator. From North America, on the North American Network
Operators mailing list. Something you are not, so please stop spouting your
drivel on a list that has nothing to do with you. This is a crisis, not a
time for a European Project Proposer  to
spout off massively uninformed bullshit non-stop because no one else will
listen.

NANOG-L mods: it's time to show some leadership.

Re: South Africa On Lockdown - Coronavirus - Update!

[Christopher Morrow]

On Tue, Mar 24, 2020 at 6:21 AM Alexandre Petrescu
 wrote:
>
>
> Le 23/03/2020 à 23:37, Christopher Morrow a écrit :
> > how did 'africa on lockdown' get sidetracked into OTP conversations?
>
> Like this: when I hear someone tell that her country got on lockdown
> then advice to not forget OTP device at desk.
>
> Mr. Morrow - where are you situated approximately?

third planet from the sun... so they tell me.

Re: COVID-19 vs. our Networks

[Alexandre Petrescu]

I think we need an emai list with both skillsets on it?

REmember this affects each one of us.

Alex, LF/HF 1

Le 24/03/2020 à 14:18, Radu-Adrian Feurdean a écrit :

On Tue, Mar 17, 2020, at 19:59, Mike Hammett wrote:

Join an IX your provider is on?

As someone that works for an IXP these days, I would prefer *NOT* having to 
deal with people that do not understand the Internet ecosystem. Which 
hospitals, and most businesses are.
An IXP is not an ISP targeting business/corporate. We're already dealing with people that 
do not understand what an IXP does, and open tickets every time a direct BGP session (one 
between 2 peers, not involving the route-server) goes down. Even had "Google is 
slow" tickets.
Joining an IX purely for PNI/NNI interconnection may be an option, but only if 
you are 100% sure that the other party agrees an PNI/NNI over an IX. Some do, 
some don't, most don't even know it's a possibility.

Re: COVID-19 vs. our Networks

[Radu-Adrian Feurdean]

On Tue, Mar 17, 2020, at 19:59, Mike Hammett wrote:
> Join an IX your provider is on?

As someone that works for an IXP these days, I would prefer *NOT* having to 
deal with people that do not understand the Internet ecosystem. Which 
hospitals, and most businesses are.
An IXP is not an ISP targeting business/corporate. We're already dealing with 
people that do not understand what an IXP does, and open tickets every time a 
direct BGP session (one between 2 peers, not involving the route-server) goes 
down. Even had "Google is slow" tickets.
Joining an IX purely for PNI/NNI interconnection may be an option, but only if 
you are 100% sure that the other party agrees an PNI/NNI over an IX. Some do, 
some don't, most don't even know it's a possibility.

Re: crypto frobs

[Tom Beecher]

>
> What yubikey are you talking about? I have a password protecting my
> ssh key but the yubikeys I've used (including the FIPS version) spit
> out a string of characters when you touch them. No pin.
>

PIV enabled ones have pins if you are using that functionality.

On Mon, Mar 23, 2020 at 8:51 PM William Herrin  wrote:

> On Mon, Mar 23, 2020 at 5:16 PM Warren Kumari  wrote:
> > Well, yes and no. With a Yubiikey the attacker  has to be local to
> > physically touch the button[0] - with just an SSH key, anyone who gets
> > access to the machine can take my key and use it. This puts it in the
> > "something you have" (not something you are) camp.
>
> Hi Warren,
>
> They're both "something you have" factors. The yubi key proves
> possession better than the ssh key just like a long password proves
> what-you-know better than a 4-digit PIN. But the ssh key and the yubi
> key are still part of the same authentication factor.
>
>
> > Not really -- if an attacker steals my laptop, they don't have the
> > yubikey (unless I store it in the USB port).
>
> You make a habit of removing your yubi key from the laptop when nature
> calls? No you don't.
>
>
> > If they *do* steal both,
> > they can bruteforce the SSH passphrase, but after 5 tries of guessing
> > the Yubikey PIN it self-destructs.
>
> What yubikey are you talking about? I have a password protecting my
> ssh key but the yubikeys I've used (including the FIPS version) spit
> out a string of characters when you touch them. No pin.
>
> Regards,
> Bill Herrin
>
>
> --
> William Herrin
> b...@herrin.us
> https://bill.herrin.us/
>

Re: South Africa On Lockdown - Coronavirus - Update!

[Alexandre Petrescu]

Le 23/03/2020 à 23:37, Christopher Morrow a écrit :

how did 'africa on lockdown' get sidetracked into OTP conversations?


Like this: when I hear someone tell that her country got on lockdown 
then advice to not forget OTP device at desk.


Mr. Morrow - where are you situated approximately?

Alex

Re: crypto frobs

[John Covici]

How about a new technology I have heard about called sqrl.  See
https://sqrl.grc.com for more information.  It overcomes a lot of the
problems discussed here.

On Mon, 23 Mar 2020 22:22:18 -0400,
Michael Loftis wrote:
> 
> [1  ]
> On Mon, Mar 23, 2020 at 20:08 Michael Loftis  wrote:
> 
> >
> >
> > On Mon, Mar 23, 2020 at 18:50 William Herrin  wrote:
> >
> >> On Mon, Mar 23, 2020 at 5:16 PM Warren Kumari  wrote:
> >> > Well, yes and no. With a Yubiikey the attacker  has to be local to
> >> > physically touch the button[0] - with just an SSH key, anyone who gets
> >> > access to the machine can take my key and use it. This puts it in the
> >> > "something you have" (not something you are) camp.
> >>
> >> Hi Warren,
> >>
> >> They're both "something you have" factors. The yubi key proves
> >> possession better than the ssh key just like a long password proves
> >> what-you-know better than a 4-digit PIN. But the ssh key and the yubi
> >> key are still part of the same authentication factor.
> >>
> >>
> >> > Not really -- if an attacker steals my laptop, they don't have the
> >> > yubikey (unless I store it in the USB port).
> >>
> >> You make a habit of removing your yubi key from the laptop when nature
> >> calls? No you don't.
> >>
> >>
> >> > If they *do* steal both,
> >> > they can bruteforce the SSH passphrase, but after 5 tries of guessing
> >> > the Yubikey PIN it self-destructs.
> >>
> >> What yubikey are you talking about? I have a password protecting my
> >> ssh key but the yubikeys I've used (including the FIPS version) spit
> >> out a string of characters when you touch them. No pin.
> >>
> >
> > The yubikey does many things depending on how it’s configured. None of
> > mine use the touch to spit out OTP mode, that is the factory mode though
> > yes. Other modes can be password protected (it uses the PIN nomenclature
> > which is confusing, it definitely accepts ASCII and nay even take binary
> > data as a PIN depending on mode of operation) ― it can present as industry
> > standard smart card ( I have one with a pin/password for code signing in
> > Visual Studio f/ex...along with a backup kept locked elsewhere)
> >
> 
> 
> Replying to myself to clarify a bit... the PKI/SSL private keys are on the
> Yubikey, password protected, signing is accomplished by VS passing the bits
> to be signed to the smart card application on the yubikey, which requires a
> password to enable/unlock. On the yubikey Depending on configuration this
> is a just once operation typically. So each signing op requires a password
> entry. But it could be configured diffferebtly. By only keeping the private
> keys on the yubikey it’s something you have (the yubikey) and something you
> know (the password)... the yubikey (barring software bugs obviously) will
> not expose the private key, it only does the signing op.
> 
> That same yubikey has a separate app and trust store in OpenGPG mode, which
> does signing for ssh pubkey auth, with a different private key. Same key
> also does FIDO, another application with another key store.
> 
> The same key doing all that could also have a “long touch” to spit out an
> OTP.
> 
> 
> 
> >> Regards,
> >> Bill Herrin
> >>
> >>
> >> --
> >> William Herrin
> >> b...@herrin.us
> >> https://bill.herrin.us/
> >>
> > --
> 
> "Genius might be described as a supreme capacity for getting its possessors
> into trouble of all kinds."
> -- Samuel Butler
> [2  ]

-- 
Your life is like a penny.  You're going to lose it.  The question is:
How do
you spend it?

 John Covici wb2una
 cov...@ccs.covici.com

Re: South Africa On Lockdown - Coronavirus - Update!

[Mark Tinka]

On 24/Mar/20 00:37, Christopher Morrow wrote:

> how did 'africa on lockdown' get sidetracked into OTP conversations?

Well, not the whole of Africa, yet :-)...

Mark.

Re: South Africa On Lockdown - Coronavirus - Update!

[Mark Tinka]

On 24/Mar/20 00:19, Eric Tykwinski wrote:

> I guess I wasn’t as detailed as should be, multi factor authentication
> should hopefully have 1 standard which will work for everything.  So
> we have an app on our phone to authenticate after a username/password
> which give a 6 digit key, or we use a hardware based key to sign a
> OTP.  Really either doesn’t matter, but trying to get endu sers to
> switch between each for every login is going to hamper acceptance in
> the large scale.

For all my banking apps in South Africa, I can use username/password, QR
code or Face ID, in ascending order of preference. All transactions that
have not been pre-approved before require further authentication,
typically via SMS approval, which goes to the the registered phone.

Qatar Airways' FQTV app supports Face ID login, but it SMS's and e-mails
you an OTP as the 2nd stage of authentication.

So different companies are doing different things, but one thing that is
consistent is that there are multiple stages being employed to login.

Mark.