[Gnuk-users] Gnuk, Nitrokey and upstream contributions

Tue Sep 8 07:58:31 UTC 2015

On 09/08/2015 03:21 PM, Nico Rikken wrote:
>> I don't know yet about Nitrokey Pro, but I'm sure that it's good than
>> arbitrary card readers of proprietary firmware.  Those tokens like
>> Yubikey or Nitrokey Pro have more good tests with GnuPG than any
>> card readers.
> 
> Than any or than some? Multiple card readers are suggested for use with
> GnuPG and I assumed they worked flawlessly. But if I understand
> correctly Yubikey, Nitrokey Pro, and Gnuk-based solutions work better.

Yes, some card reader vendors are kind enough to disclose interface
information.  Or, some users of card reader are kind enough to offer
hardware access.  GnuPG's support for those hardware is done by such
collaborations.  Still, we have some corner cases, like pinpad
support, though.

I meant that the CCID (i.e., card reader interface) implementation by
free software (of Gnuk, Yubikey and Nitrokey) is better than the
proprietary firmware of existing card readers.

> This is not my field of expertise, but I use the Yubikey OTP on a daily
> basis, as well as the HOTP or TOTP (using FreeOTP on my smartphone
> https://fedorahosted.org/freeotp/ ). U2F (FIDO) seems to be using a
> different set of standards, so I'm kinda lost in the available options.
> Bottom line having a two-factor solution separate from your computer,
> without the need of a charged battery would be great. And from this
> standpoint incorporating it in the Gnuk software seems to make sense.

Let me elaborate this.

Usually, OTP (at least for HOTP and TOTP) uses shared secret.  Shared
secret means that it's shared between the token and the server.

In my case of OTP, I don't control its computing at all.  My OTP token
is not my property, but banks lent me to access their services.  I
don't/can't handle the shared secret directly, but all I can do is
pushing the button (and seeing the digits, for some implementation).
For those devices, I don't care much if it's by free software or not,
because I don't control it anyway.

I know that there are other usages for OTP, where users can control
its computing somehow and handle the shared secret by themselves.
But, I think that it's not major usage.

I mean, major usage of OTP would be that: Some entity asks you to use
the device with the secret (for their security) and the secret is
under control by the entity.

On the other hand, I design Gnuk under the assumption of: It's a user
who controls his/her computing.

So, I think that major usage of OTP token and Gnuk Token would be
different.  I think that it would be better to have separate devices
for such different usages.

If I use OTP which is under control of me, I would put my shared
secret on PC or on my phone, possibly encrypted by my public key of
Gnuk Token.  It's just like SSID/passphrase to access some wireless
network.  For me, it's not so important than my private keys.

Well, Nitrokey Pro would be good design, if we talk about these kind
of data separation and management.  Your private keys are in the
smartcard module, while (IIUC) OTP shared secret is stored in flash
ROM somewhere.

> But if I only use the tried and true versions, the contribution would of
> course be limited. I guess it would then forward development in the way
> GPGv2 was included in Debian: it has been around for a while and many
> people have been using it, so lets start the transition. So I can be one
> of the early adopters to add to the 'already in use' argument.

I don't think so.  Things are not that easy.  For example, Nitrokey
Pro is new implementation (of CCID firmware), there will be some
issues.  Since Nitrokey Start is the first external adoptor of Gnuk,
there will be some other issues.  IIUC, it has different vendor ID and
product ID than Gnuk Token from FSIJ.  Thus, I think that there will
be some problems where we assume FSIJ's vendor ID.

If a user like you can test Nitrokey Pro or Nitrokey Start, it will
be a great contribution, both to Nitrokey and GnuPG community.

> That's great and a win-win. Maybe it would be great to have someone in
> the EU to help distribute them there. Maybe https://tehnoetic.com/ can
> help? And on that topic, would an FSF hardware endorsement be possible?

Thanks for the pointer.  At Debconf15, I also was asked by a person
from Romania.

Speaking about FSF's RYF certification program, yes, I submitted my
request to FSF in 2014.  We discussed and I improved my own
distribution (developing Fraucheky to distribute GNU GPL together,
adding distribution of off-line copy of git.gniibe.org, etc.).  Now, I
wait FSF's final decision.  I think it takes time.  Besides, I'd
understand that Gnuk Token and NeuG USB RNG is a bit of out of scope
from the viewpoint of RYF certification program (which may cover more
important things like encryption and privacy).  The arrangement of FSF
shop finished faster.
-- 