touch-policy=always not forcing touch on key use

[drebes]

I'm trying to create a key to use with PIV for SSH

All works fine, unless I try to specify a touch-policy=always at key creation time.

My Yubikey Neo is not requiring a touch to allow access to the key.

Here is an example of a key and certificate creation. My understanding is that the second command was supposed to require a key touch before signing the certificate, but it works without any touch.

$ yubico-piv-tool -a generate --touch-policy=always -s 9a -A RSA2048  -o public.pem -k
Enter management key: 
Successfully generated a new private key.
$ yubico-piv-tool -a verify-pin -a selfsign-certificate -s 9a -S "/CN=ssh/" -i public.pem -o cert.pem
Enter PIN: 
Successfully verified PIN.
Successfully generated a new self signed certificate.

Am I missing something?

[klali]

touch-policy (and pin-policy) is only available on YubiKey 4, this should probably be clearer in help/doc.

https://github.com/Yubico/yubico-piv-tool/commit/8614d227cb4804495677f5071448131aec54fa80

[drebes]

Thanks for clarifying, closing this issue.

[drebes]

A quick follow-up, can you confirm whether the YubiKey 4 Nano also supports it? I would really like the feature and would get a 4 Nano if it does.

[klali]

Yes, all variants of the 4 supports touch-policy.