Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

When will PIV functionality be stable? #389

Open
anotherbridge opened this issue Nov 24, 2023 · 7 comments
Open

When will PIV functionality be stable? #389

anotherbridge opened this issue Nov 24, 2023 · 7 comments

Comments

@anotherbridge
Copy link

I would be interested if you already have an estimate on when the PIV functionality will be considered as stable?

Thanks a lot in advance!
@daringer
Copy link
Collaborator

daringer commented Nov 30, 2023
edited
Loading

Currently there is no clear roadmap for stabilizing PIV. This is mainly due to the fact that we do not see many requests/users which are interested in this. Another reason is that to fully utilize PIV inside a Windows AD environment we would also need a "MiniDriver" to make best use of it. Currently there is a way to achieve at least PIV based logins on AD clients and we are also improving it currently, but as mentioned before: due to limited demand (at least from what we know) this is not a high priority currently.

Please 👍 this comment to increase priority on this functionality...

@daringer daringer mentioned this issue Nov 30, 2023
Closed
@jplejacq-quoininc-com
Copy link

Just a vote for the importance to me of PIV. We need this for system login for Linux, macOS, and Windows as well as for VPN.

@Pierre-Gronau-ndaal
Copy link

Me too ! I vote for the importance to me of PIV. We need this for system login for Linux, macOS, and Windows as well as for VPN.

@daringer daringer mentioned this issue Dec 4, 2023
Closed
@daringer
Copy link
Collaborator

daringer commented Dec 4, 2023
edited
Loading

If you haven't, please 👍 my comment above so we can collect people who are interested in this feature.

Additionally, if possible, could you maybe share some details about your intended use-cases, any of the following questions would be interesting for us:

  1. Can you share any high-level use-case you would like to use PIV for?
  2. Does your use-case need a r/w-enabled Mini-Driver for Windows?
  3. There is a generic ro-enabled Mini-Driver within OpenSC, is this enough?
  4. Which of the many PIV extensions are preferable for you?
  5. How would you provision PIV on the Nitrokey 3? Do you have your own (FOSS?) tooling? Or would you need us to provide this tooling, too?

thanks

@jplejacq-quoininc-com
Copy link 

1. Can you share any high-level use-case you would like to use PIV for?

At a company level we have three use cases, list in priority:

  1. VPN (IPSec based) using self managed certificate authority.
  2. System authentication primarily for macOS and Linux, secondarily Windows AD.
  3. Possibly S/MIME.
2. Does your use-case need a r/w-enabled Mini-Driver for Windows?

No.

3. There is a generic ro-enabled Mini-Driver within OpenSC, is this enough?

Yes.

4. Which of the many PIV extensions are preferable for you?

The only one at the moment is curve 25519 key support. This is something we are exploring.

5. How would you provision PIV on the Nitrokey 3? Do you have your own (FOSS?) tooling? Or would you need us to provide this tooling, too?

FOSS tooling based on Linux would be the preferred solution.

@SunStrom
Copy link

Our use case is basically identical, just with slightly different priorities:

1. Can you share any high-level use-case you would like to use PIV for?
  1. System authentication (Windows)
  2. VPN auth (OpenVPN)
  3. possibly S/MIME
2. Does your use-case need a r/w-enabled Mini-Driver for Windows?

No.

3. There is a generic ro-enabled Mini-Driver within OpenSC, is this enough?

Yes.

4. Which of the many PIV extensions are preferable for you?

ECC, curve 25519 if possible.

5. How would you provision PIV on the Nitrokey 3? Do you have your own (FOSS?) tooling? Or would you need us to provide this tooling, too?

As far as I understand, provisioning is already possible with FOSS tooling (just neither easy nor comfortable) if you have the needed master key for the card - this would be enough.

@tgahlx
Copy link

tgahlx commented Apr 11, 2024

I would also like to vote for this feature as we want to rollout tokens in our enterprise and would rather not buy yubikeys.
We like this idea to have a single smartcard that supports multiple use cases like piv and passkeys and others together.

  1. Can you share any high-level use-case you would like to use PIV for?

Cert based Authentication and Authorization on different Systems and services and S/MIME.

  1. Does your use-case need a r/w-enabled Mini-Driver for Windows?

Not now.

  1. There is a generic ro-enabled Mini-Driver within OpenSC, is this enough?

Yes

  1. Which of the many PIV extensions are preferable for you?

Support Keys as stated in the FAQ
https://docs.nitrokey.com/nitrokey3/faq

  1. How would you provision PIV on the Nitrokey 3? Do you have your own (FOSS?) tooling? Or would you need us to provide this tooling, too?

using nitropy, piv-tool or default cli tools like pkcs11/15

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@daringer @jplejacq-quoininc-com @anotherbridge @Pierre-Gronau-ndaal @SunStrom @tgahlx