[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: xz backdoor



Hi,

On Sun, 2024-03-31 at 14:34 +0200, Pierre-Elliott Bécue wrote:
> The PGP submodule of a Yubikey can host 3 keys, one signing, one
> authent, and one encrypt. ISTR accessing the signing key is always
> prompting for the PIN. Same for the encryption key. (I think both can
> be configured otherwise)

I think presence confirmation is more useful, that is, interacting
physically with the device for each signature.  The Yubikey can do that
also for OpenPGP:

```
$ ykman openpgp keys set-touch --help
[...]
  Touch policies:

  Off (default)   no touch required
  On              touch required
  Fixed           touch required, can't be disabled without deleting the private key
  Cached          touch required, cached for 15s after use
  Cached-Fixed    touch required, cached for 15s after use, can't be disabled
                  without deleting the private key
```

(The PIN can still be cached.)

For OpenSSH it might also be more convenient to use Webauthn, that is,
the keys generated using `ssh-keygen -t ed25519-sk` or `-t ecdsa-sk`.

Ansgar
> 


Reply to: