Open jans23 opened 1 year ago
This is already implemented.
You can set it by using opgpcard admin --card <card id> touch --key <KEY> --policy <policy>
With card id
obtained by opgpcard status
(something like 0000:A02005CE
), <KEY>
being SIG
, DEC
or AUT
, and <policy>
being Off
On
, Fixed
. (fixed means On
but can't be changed until factory reset).
In gpg it can also be configured with gpg --edit card
admin
uif
Maybe we could change the default setting? It's currently on Off
.
does GnuPG inform the user to confirm operations (via button)?
Where does opgpcard
come from?
Do you know the default behaviour of other OpenPGP Card implementations?
opgpcard
comes from openpgpcard-tools. Yubikeys default to off (yubikeys also have some additional settings regarding this, relating to caching the user presence for a while.
gnuk also appears to default to off. The specification also says that off is the default.
It would be good if pynitrokey supports this setting. And we should document it in our docs.
If we want to add support for the UIF flag in nitropy, don't we also want to add support for more openpgp related functionality in it (factory reset, pin configuration and general administration commands)?
Same for the documentation, if we start documenting parts of the standard, should we also build a more extensive documentation of openpgp smartcard usage?
In the nitrokey 3 section there is nothing regarding OpenPGP. It's true that the nitrokey storage does have some OpenPGP related docs. I guess most of it would apply and could be copied into the nitrokey 3 docs, with addition of UIF?
Yes, I think so as well. Parts of the documentation is already shared between multiple devices, since it's mostly a single feature description to be easier to maintain.
Should we wait for it to be stable on the nitrokey 3 before adding the documentation?
I would not wait, but instead just add a warning box that this treats about test firmware, which soon will be stable.
Touch button should be used for sensitive Opcard operations.