Open del-leehopper opened 4 days ago
dainnilsson
commented
4 days ago The behavior is correct, the attestation key is not intended to be deleted when performing factory reset. Which specific part of the documentation do you think implies that the Attestation key would be deleted?
del-leehopper
commented
4 days ago https://docs.yubico.com/software/yubikey/tools/ykman/OpenPGP_Commands.html#ykman-openpgp-keys-set-touch-options-key-policy Under the "Touch Policies" it says:
Cached-Fixed: "Touch required, cached for 15s after use, cannot be disabled without deleting the private key."
and
Fixed: "Touch required, cannot be disabled without deleting the private key."
This isn't correct. It should add something like "Attestation key can never be changed if set to this policy."
Currently says: "Reset OpenPGP application. This action wipes all OpenPGP data, and sets all PINs to their default values."
Should add something like: "Note: Attestation key and policy will not be wiped."
The reason it's important is I have scripts that run to factory reset all features on a key, and other scripts that setup the key (OpenPGP, PIV, etc.) to our specification. When I run the script to set the Attestation Key to "Cached-Fixed" it throws an error. If I would have known that this doesn't reset, I could have ignored this setting for a re-used YubiKey, however, it isn't clear in the documentation that the Touch Policy is not reset.
Note: I am not suggesting the Attestation Key is reset, but I believe the touch policy should do. Or at least there should be a way to remove this, or renew the attestation key?
dainnilsson
commented
3 days ago Thanks for elaborating!
Fixed: "Touch required, cannot be disabled without deleting the private key."
I would say that this is correct. If you delete the attestation key, then the policy is deleted with it. You'll then be able to import or generate a new private key and set a new policy. Note that you will not be able to replace the key with one that is signed by Yubico, so you'll have to set up your own attestation CA for validation of this.
Should add something like: "Note: Attestation key and policy will not be wiped."
Yes, this I certainly agree with! I'll forward this to the docs team so that they can make it more clear.
del-leehopper
commented
3 days ago I would say that this is correct. If you delete the attestation key, then the policy is deleted with it. You'll then be able to import or generate a new private key and set a new policy. Note that you will not be able to replace the key with one that is signed by Yubico, so you'll have to set up your own attestation CA for validation of this.
Then can I suggest a tweak to the wording to make it more clear? "Touch required, cached for 15s after use, cannot be disabled without deleting the associated private key." "Touch required, cannot be disabled without deleting the associated private key."
It just makes it a bit clearer that you can delete each key individually and its associated policy will be deleted.
Yes, this I certainly agree with! I'll forward this to the docs team so that they can make it more clear.
Great, thank you.
Yes, I understand that if you delete the attestation key, you need to create your own. My point was that it's not clear how you would do this if someone would like to do it (e.g. removing the policy is more important that keeping the Yubico signed attestation key).
Steps to reproduce
Expected result
Actual results and logs
Other info
The documentation seems to point to the Attestation Key being reset just as with everything else.
So either the documentation needs to be updated, or there is a bug where this should reset but it doesn't.
If the documentation is wrong, and the Attestation Key does not get reset, then is there a way to reset it if needed?
https://docs.yubico.com/software/yubikey/tools/ykman/OpenPGP_Commands.html#ykman-openpgp-keys-set-touch-options-key-policy https://docs.yubico.com/software/yubikey/tools/ykman/OpenPGP_Commands.html#ykman-openpgp-reset-options