YubiKey AID

[sjuerges]

Correct me if I am mistaken, but the AID for the card is wrong ...

1) The manufactured part of the AID is set to 0000 -> test card 2) The Serial of EVERY YubiKey Neo ist 00000001, which could result in problems.

[jas4711]

Yes these are known (to us) issue but we forgot to open an issue about it. Let's see if we can use this issue to figure out what we best should do.

For 2) I think it is possible to configure the serial number when you upload the OpenPGP applet using gpshell. I suppose we should figure out which commands to use and publish that? I don't really know how to do this, except that I believe it should be possible. I may be wrong in that, of course.

[sjuerges]

Both are (if I Interpret the code correctly) set in the build.xml

property name="PACKAGE_AID" value="0xd2:0x76:0x00:0x01:0x24:0x01"

(-- inserted to seperate fields --)

property name="APPLET_AID" value="0xd2:0x76:0x00:0x01:0x24:--0x01:--0x02:0x00:--0x00:0x00:--0x00:0x00:0x00:0x01:--0x00:0x00"

(RID--APP--VERSION--MANUFACTURER--SERIAL--RFU)

The Manufacturer ID has to be assigned by the FSE (i think, or whichever entity assigns These ID's) ... But in my opinion the isnt't as important as the Serial. The Serial number should be unique for each Card. So it either has to be set on delivery by yubico, and they Keep track of the Serials, or in some other way. I have no idea how that is done.

We could contact the guys at g10code that deliver the "zeitcontrol" openpgp Smartcards and determine how the calculate Serial number Progression (as an idea)

[klali]

There is a registered manufacturer id for Yubico: 06.

For me this is an issue with Yubico's (our) distribution of the app and not an issue with the app itself (and the serial field should simply be the already assigned serial of that key).

[ulrichard]

How is the encoding for these two values? It would be perfect for me, if I could set it to the same value as my CryptoStick. I know it's not how it was intended. But with this I would have the two sticks interchangeable, a seamless backup.

[sjuerges]

The encoding is noted in my post 2 spots above yours ...

[ulrichard]

Yes, I saw your comment above. But the SERIAL is the only field that I know what I have to use for. Is it the only one that matters for gpg? What is the numeric value for Manufacturer .....: ZeitControl?

[klali]

ZeitControl has id 5, but the easiest will be to just take the 'Application ID' from gpg --card-status and use that.

This needs to be set either when compiling the applet or when installing it on the card, if you add the -instAID parameter to the install command in the gpshell file you don't need to recompile the applet.

[ulrichard]

Thanks for the info. I have the CryptoStick and the YubiKeyNeo now interchangeable.

[jas4711]

One solution here is to add a flag to 'ykneomgr' to give it the ability to set the instance AID on installation.

So let's wait for https://github.com/Yubico/libykneomgr/issues/17 and then document how to use it in ykneo-openpgp.

[jas4711]

As a side note, Yubico has begun shipping NEOs with a "proper" OpenPGP application ID. However right now the decimal serial number is converted into hex and then placed into the OpenPGP application ID. We quickly realized that GnuPG etc prompts for the application ID (since it is stored in the keyring for the stubs) and locating a decimally marked NEO based on a hex number is probably not very user friendly.

So for any future NEOs that are ordered, this issue should have gone away. If you are installing the applet yourself, you can use gpshell with -instAID to specify the application id you want. This may be good enough for practical use, not many people will be building and installing their own applet to make this a huge task.