offer opensource alternative

[buzztiaan]

This current methodology does not allow me to implement this for Goverment use. Please revert back to your opensourced methods.

[yonas]

It's amazing that in 2016, people still revert to security through obscurity.

This must be some kind of deep, built-in human weakness. Why hasn't the message that security through obscurity doesn't work not sunk in yet?

Do we need to write laws against this for the message to finally shine through?

[mouse07410]

The algorithms they do are known (and public). Their implementation currently is not. I am disappointed a little - but it doesn't stop me from using this very nice product.

Yubico isn't the first/only one to not disclose their firmware by far. Some popular examples: IBM has been manufacturing pretty popular, successful, and secure cryptographic coprocessor IBM 4758 -> 4764 -> 4765 (used by banks, etc. - but probably too expensive for punks). Guess what - they did not publish their firmware for you to review. Doh... What about Microsoft crypto libraries? Did Apple publish their entire new crypto code?

[yonas]

@mouse07410 That's a weak argument. If people are jumping off a bridge, should you do the same?

[mouse07410]

I do not intend to argue with you - merely to educate about the reality we are living in. Deal with it as you wish.

I'm done here.

[yonas]

Ok, no worries.

And to address your point more specifically:

The algorithms they do are known (and public). Their implementation currently is not.

The devil is in the details. Implementations of otherwise secure protocols and algorithms are the source of many vulnerabilities. Your security is now at greater risk.

[dainnilsson]

In an attempt to avoid misinterpretation on why I'm closing this issue, let me be clear on why I'm doing so:

This issue tracker is for discussion issues about the ykneo-openpgp Java applet project. The original comment is irrelevant in this context, as the project is licensed under the GPL. Comments and questions related to other Yubico projects or products do not belong here. For Yubico's statement on the license of Yubico device firmware, please see this blog post: https://www.yubico.com/2016/05/secure-hardware-vs-open-source/ For questions and comments related to that post, please use the methods indicated in the post itself.

[miawgogo]

May i also remind you that the company posted this in 2015 https://www.yubico.com/2015/01/love-third-party-validation/ this action seems to go against this statement from them