Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Usage of touch button #146

Open
jans23 opened this issue Apr 20, 2023 · 11 comments
Open

Usage of touch button #146

jans23 opened this issue Apr 20, 2023 · 11 comments
Labels
documentation Improvements or additions to documentation

Comments

@jans23
Copy link
Member

jans23 commented Apr 20, 2023

Touch button should be used for sensitive Opcard operations.
@sosthene-nitrokey
Copy link
Collaborator

This is already implemented.

You can set it by using opgpcard admin --card <card id> touch --key <KEY> --policy <policy>

With card id obtained by opgpcard status (something like 0000:A02005CE), <KEY> being SIG, DEC or AUT, and <policy> being Off On, Fixed. (fixed means On but can't be changed until factory reset).

In gpg it can also be configured with gpg --edit card admin uif

@sosthene-nitrokey
Copy link
Collaborator

Maybe we could change the default setting? It's currently on Off.

@jans23
Copy link
Member Author

jans23 commented Apr 20, 2023

does GnuPG inform the user to confirm operations (via button)?

Where does opgpcard come from?

Do you know the default behaviour of other OpenPGP Card implementations?

@sosthene-nitrokey
Copy link
Collaborator

opgpcard comes from openpgpcard-tools. Yubikeys default to off (yubikeys also have some additional settings regarding this, relating to caching the user presence for a while.

gnuk also appears to default to off. The specification also says that off is the default.

@jans23
Copy link
Member Author

jans23 commented Apr 20, 2023

It would be good if pynitrokey supports this setting. And we should document it in our docs.

@sosthene-nitrokey
Copy link
Collaborator

If we want to add support for the UIF flag in nitropy, don't we also want to add support for more openpgp related functionality in it (factory reset, pin configuration and general administration commands)?

Same for the documentation, if we start documenting parts of the standard, should we also build a more extensive documentation of openpgp smartcard usage?

@szszszsz
Copy link
Member

  1. I think ideally pynitrokey / Nitrokey App 2 would be self-contained regarding the device configuration, so mentioned settings would be very much welcomed.
  2. Re docs, do you think the content on docs.nitrokey is not enough?

@sosthene-nitrokey
Copy link
Collaborator

In the nitrokey 3 section there is nothing regarding OpenPGP. It's true that the nitrokey storage does have some OpenPGP related docs. I guess most of it would apply and could be copied into the nitrokey 3 docs, with addition of UIF?

@szszszsz
Copy link
Member

Yes, I think so as well. Parts of the documentation is already shared between multiple devices, since it's mostly a single feature description to be easier to maintain.

@sosthene-nitrokey
Copy link
Collaborator

Should we wait for it to be stable on the nitrokey 3 before adding the documentation?

@szszszsz
Copy link
Member

I would not wait, but instead just add a warning box that this treats about test firmware, which soon will be stable.

@jans23 jans23 added the documentation Improvements or additions to documentation label Apr 21, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
documentation Improvements or additions to documentation
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jans23 @szszszsz @sosthene-nitrokey