When touich policy is enabled, user isn't prompted to touch the yubikey

smallstep / step-kms-plugin

🔐 step plugin to manage keys and certificates on a cloud KMSs and HSMs

Apache License 2.0

49 stars 6 forks source link

When touich policy is enabled, user isn't prompted to touch the yubikey #40

Closed tashian closed 1 year ago

tashian commented 1 year ago

When I run an ACME DA challenge on an attestation certificate with a touch policy that isn't "never", I need to touch the yubikey to complete the challenge. It would nice to prompt the user to touch the key in this scneario.

maraino commented 1 year ago

We don't have a way to know if you need to touch the key or not, in fact in device attestation you might need to touch it multiple times. What we can do is add a generic message.

tashian commented 1 year ago

Oh, that's annoying. But, I just noticed that Safari also doesn't prompt on this either when using the cert. So, I think the expectation is that you have to look for the light to flash on the key. Closing this for now.