misusing USB keycards?

Posted Oct 4, 2017 21:44 UTC (Wed) by karkhaz (subscriber, #99844)
In reply to: misusing USB keycards? by anarcat
Parent article: Strategies for offline PGP key storage

> Yes, they could and no, there's *generally* no visual indicator (although the Yubikey NEO does have a neat little LED in the middle that buzzes when things are happening on the key. It's hardly usable as an indicator, however. I would rather see a keycard that would force me to tap it to confirm operations.

Is the touch-to-sign feature on YubiKey 4 what you're looking for?

> YubiKey 4 introduces a new touch feature that allows to protect the use of the private keys with an additional layer. When this functionality is enabled, the result of a cryptographic operation involving a private key (signature, decryption or authentication) is released only if the correct user PIN is provided _and_ the YubiKey touch sensor is triggered

https://developers.yubico.com/PGP/Card_edit.html

to post comments

misusing USB keycards?

Posted Oct 5, 2017 12:55 UTC (Thu) by anarcat (subscriber, #66354) [Link] (1 responses)

That's pretty neat, i gotta say. :)

misusing USB keycards?

Posted Oct 13, 2017 3:46 UTC (Fri) by ras (subscriber, #33059) [Link]

The consensus on Debian seemed to be Yubikey is in general very neat. It's amazingly robust, it's got all the features you want, and if they begged and pleaded enough they could probably get it at the right price. It's a consensus I agree with, as I use the things in my day job.

The fly in the ointment is its proprietary. Ergo some assume it's probably backdoor'ed. I'd be acting on the assumption too, even though I think on the balance of probabilities it's not. Add closed + proprietary and Debian don't mix well, and it doesn't look like Yubikey would fly with Debian.