[HN Gopher] OpenPGP master key on Nitrokey Start
___________________________________________________________________
OpenPGP master key on Nitrokey Start
Author : todsacerdoti
Score : 52 points
Date : 2023-03-28 06:11 UTC (16 hours ago)
(HTM) web link (blog.josefsson.org)
(TXT) w3m dump (blog.josefsson.org)
| matheusmoreira wrote:
| These hardware devices can fail and take the key with them.
| Master keys aren't expendable like subkeys so it's always a good
| idea to have a paperkey backup. I worked on binary decoding for
| zbar to make them easy to decode with a laptop camera.
| lxgr wrote:
| Yes, and the author is importing a key from offline storage,
| not creating one on the Nitrokey directly.
| Reitet00 wrote:
| Could you share your script?
| exabrial wrote:
| Similar setup here. Even my ssh key is a subkey of my pgp key.
|
| Pgp's most valuable use case is still establishing a digital
| identity toehold. The PGP key that is used to sign the commit, is
| also used to SSH to git server, is also used to sign the code
| review comments, is also used to sign the build binaries.
|
| I'm hoping some day there is website authentication integration
| via passkey or the like.
| woodruffw wrote:
| Digital identities are useful insofar as they're (1) binding,
| and (2) actually easy for others to verify, neither of which is
| particularly true for PGP (especially given the WoT/strong
| set's demise).
|
| The closest thing to a binding identity in the PGP ecosystem is
| OpenPGP's "verifying keyserver," which issues a challenge to a
| submitted PGP key's claimed email address. But that isn't a
| very strong proof of identity, and it doesn't prevent anybody
| from claiming to be anybody else in the broader PGP ecosystem.
| upofadown wrote:
| These days people tend to have multiple aspects to their
| identity that they keep separate. You probably want to have a
| Github identity separate from, say, a social media identity
| or, say, your legal identity. Verifying such identities is
| heavily contextual. So a system that lets you generate your
| own identities in a well standardized way is useful.
| gabereiser wrote:
| This. Because people have their personal identity, their
| work identity, maybe a corporate identity if they run a
| company. It's too complex a concept to codify into an Uber-
| identity.
| [deleted]
| wkat4242 wrote:
| This is the problem though, social media and advertising
| companies try to break this barrier so they can data mine
| you better.
|
| This is why Facebook has a real name policy for example.
|
| With the move to federated systems in commercial hands (log
| in with Facebook, Google etc) this only becomes harder to
| escape.
| woile wrote:
| Is there some kind of tutorial as of how to control one's
| identity with PGP or other tools?
| paletteOvO wrote:
| Canokey is also a cheap open source alternative hardware key to
| Yubikey.
| nathanmcrae wrote:
| I think people should seriously consider using something like
| passphrase2pgp [0] in addition to a hardware key like this. That
| way you can have a brain key (hopefully generated with diceware
| or equivalent) to tie together day-to-day keys like this to a
| more permanent identity. I'm honestly surprised that strategy is
| not more widespread.
|
| [0] https://github.com/skeeto/passphrase2pgp
| jmclnx wrote:
| I do not use these hardware keys, but I can see a use for then
| since I bounce between Linux, NetBSD and OpenBSD depending on
| what I am doing for testing programs I develop at work.
|
| I can assume Linux and a good chance FreeBSD will have no issues
| with this device. I am curious about the other *BSDs though.
| behnamoh wrote:
| Fun fact: I read it as OpenGPT!
| unwind wrote:
| This page won't load for me (Firefox 111.0.1, Windows), I get a
| MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING error.
| LinuxBender wrote:
| Qualys [1] does not appear to see any issues. Do you see the
| same fingerprint? _ruling out MitM_ openssl
| s_client -connect blog.josefsson.org:443 < /dev/null
| 2>/dev/null | openssl x509 -fingerprint -sha256 -noout -in
| /dev/stdin sha256 Fingerprint=AC:6A:41:71:DE:1C:B6:93:F
| 0:63:56:D6:12:72:B3:27:B2:A7:C9:3F:86:4D:D9:55:63:B9:CB:CA:F6:3
| 8:83:70
|
| This [2] may also be related. If you go to _about:config_ and
| search for "security.ssl.enable_ocsp_must_staple" is it set to
| true? OCSP stapling offered,
| not revoked OCSP must staple extension supported
|
| [1] -
| https://www.ssllabs.com/ssltest/analyze.html?d=blog.josefsso...
|
| [2] - https://support.mozilla.org/en-US/questions/1149911
| ThePowerOfFuet wrote:
| Are you accessing from a corporate network where they are doing
| TLS interception? If so, the replacement certificate isn't
| stapled and Firefox is picking up on that because the site
| requires it.
| jdoss wrote:
| If you are looking to do something similar with a Yubikey check
| out https://github.com/drduh/YubiKey-Guide for getting started.
|
| It is by far the most comprehensive guide on using a YubiKey as a
| SmartCard for storing GPG keys. I used this a few years ago and
| it helped clear up any confusion I had about getting the most out
| of my Yubikey 5 NFC.
| cge wrote:
| While a nicely comprehensive guide for other topics, and
| similar to my use of a Yubikey, it looks like it's actually
| almost entirely separate from what this post is about: storing
| a PGP _master_ key on a hardware key, separate from the subkeys
| (which are likely on a different hardware key), so that it can
| be more easily used to sign the PGP keys of _other_ people, for
| web-of-trust purposes. Those topics don 't seem to be
| considered at all in that guide, and are rather less common.
| aborsy wrote:
| How do Nitro keys compare with Yubikey 5 NFC?
|
| Nitro keys are semi open source. Other than that, any advantage?
| draven wrote:
| I hesitated between both, but the nitrokey 3 has so many things
| listed as "planned" that I went for a Yubikey (I bought two, a
| 5a NFC and a 5c NFC.)
| palata wrote:
| My Yubikey 5 NFC rocks. Just works, does everything I want.
|
| I ordered a Nitrokey 3C NFC 2 years ago, never heard from them
| until a week ago where they said they shipped it (I'll believe
| it when I receive it). I tried to contact their support once to
| kindly ask if I still existed in their database, they answered
| that I should read the blog in a rude way (which did not even
| answer my question).
|
| They were claiming 2 years ago that they had many features (my
| understanding was "almost compares to Yubikey"), and I realized
| recently that it was not only not true, but in those 2 years
| they haven't reached feature parity (not even remotely).
|
| So... feel free to order a Nitrokey to support them (I did, and
| my hope is that it will get better), but if you want something
| that works today, go for Yubikey.
| aborsy wrote:
| Thanks for sharing!
|
| The main limitation of the Yubikey is that the firmware is
| closed source and potentially even backdoored. Otherwise the
| construction and features of Yubikey are pretty good.
| wkat4242 wrote:
| The Yubikey firmware is open but the problem is that you
| can't overwrite it anymore. They did this during the
| Yubikey NEO age, the first ones could still be updated.
| They say they did it to avoid authentication bypass attacks
| which makes sense but there should be other ways to do
| that. And the updatability keeps it current and also allows
| for verified builds.
|
| About a year after they changed it though there was a huge
| vulnerability in the Yubikey where it failed to actually
| check the pincode making the security useless. Which proved
| locking the firmware was a bad idea IMO. They ended up
| having to replace tons of them which could have been
| updated. I was hoping they'd bring updatable firmware back
| but they didn't.
| aborsy wrote:
| Yeah, the thought that Yubikey may not require PIN in
| some cases is scary. It's like a GPG key without a
| password in home directory. Not only it will be useless,
| but actually harmful.
|
| For such reasons, I have been searching for alternatives.
| It seems other products have other issues.
| fsflover wrote:
| > Nitro keys are semi open source.
|
| And Librem Key fully relies on FLOSS.
| aborsy wrote:
| Looks like there are usability problems
|
| https://forums.puri.sm/t/librem-key-practical-usage-
| scenario...
|
| Lacks FIDO, and curve 25519.
___________________________________________________________________
(page generated 2023-03-28 23:02 UTC)