[Gnuk-users] gnuk-users Digest, Vol 107, Issue 3
Mike Tsao
mike at sowbug.com
Thu Jan 11 06:48:23 UTC 2018
On Wed, Jan 10, 2018 at 7:17 PM Srinivas V <vsrinu26f at gmail.com> wrote:
> Do keytocard before setting passwords. Reason: there is nothing to
> encrypt. Seems some passwords are not stored. More secure.
>
> Regarding bricking: power off then power on then try swd flash.
>
I understand the rationale. Unfortunately, this leaves a window where the
keys' capabilities will be protected only by the default PINs. In most
cases this window will be brief, but it's quite foreseeable to be at work,
loading a key onto a gnuk smart card, and then getting distracted by a
coworker and leaving the smart card in the open, accessible via 123456.
If I'm understanding the current gnuk code, the key-before-PIN policy is
also the mechanism of the implementation ("Gnuk 1.2 does validation of user
PIN by successful decryption of private key"), so it doesn't appear that
someone with a perspective like mine can easily or elegantly reconfigure
gnuk accordingly.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/gnuk-users/attachments/20180111/b1e64f4d/attachment.html>
More information about the gnuk-users
mailing list