search

Nitrokey / opcard-rs

OpenPGP card implementation
49 stars 1 forks source link

Usage of touch button #146

Open jans23 opened 1 year ago

jans23 commented 1 year ago

Touch button should be used for sensitive Opcard operations.

sosthene-nitrokey commented 1 year ago

This is already implemented.

You can set it by using opgpcard admin --card <card id> touch --key <KEY> --policy <policy>

With card id obtained by opgpcard status (something like 0000:A02005CE), <KEY> being SIG, DEC or AUT, and <policy> being Off On, Fixed. (fixed means On but can't be changed until factory reset).

In gpg it can also be configured with gpg --edit card admin uif

sosthene-nitrokey commented 1 year ago

Maybe we could change the default setting? It's currently on Off.

jans23 commented 1 year ago

does GnuPG inform the user to confirm operations (via button)?

Where does opgpcard come from?

Do you know the default behaviour of other OpenPGP Card implementations?

sosthene-nitrokey commented 1 year ago

opgpcard comes from openpgpcard-tools. Yubikeys default to off (yubikeys also have some additional settings regarding this, relating to caching the user presence for a while.

gnuk also appears to default to off. The specification also says that off is the default.

jans23 commented 1 year ago

It would be good if pynitrokey supports this setting. And we should document it in our docs.

sosthene-nitrokey commented 1 year ago

If we want to add support for the UIF flag in nitropy, don't we also want to add support for more openpgp related functionality in it (factory reset, pin configuration and general administration commands)?

Same for the documentation, if we start documenting parts of the standard, should we also build a more extensive documentation of openpgp smartcard usage?

szszszsz commented 1 year ago
  1. I think ideally pynitrokey / Nitrokey App 2 would be self-contained regarding the device configuration, so mentioned settings would be very much welcomed.
  2. Re docs, do you think the content on docs.nitrokey is not enough?
sosthene-nitrokey commented 1 year ago

In the nitrokey 3 section there is nothing regarding OpenPGP. It's true that the nitrokey storage does have some OpenPGP related docs. I guess most of it would apply and could be copied into the nitrokey 3 docs, with addition of UIF?

szszszsz commented 1 year ago

Yes, I think so as well. Parts of the documentation is already shared between multiple devices, since it's mostly a single feature description to be easier to maintain.

sosthene-nitrokey commented 1 year ago

Should we wait for it to be stable on the nitrokey 3 before adding the documentation?

szszszsz commented 1 year ago

I would not wait, but instead just add a warning box that this treats about test firmware, which soon will be stable.