... | ... | @@ -209,6 +209,8 @@ The YubiKeys also ship with an "OpenPGP smartcard applet" that allows |
|
|
you to store cryptographic keys. The YubikKey 5 in particular supports
|
|
|
ECC keys.
|
|
|
|
|
|
### Why OpenPGP
|
|
|
|
|
|
We use OpenPGP here because it's still the "standard" (e.g. specified
|
|
|
in RFCs) way to do interoperable offline cryptographic operations in
|
|
|
various locations. It's also heavily used at Tor and, until further
|
... | ... | @@ -218,6 +220,21 @@ Finally, the OpenPGP applet provides a way to use SSH with YubiKeys |
|
|
that is somewhat clunky, but doesn't suffer from backwards
|
|
|
compatibility problems that the SSH `sk-` keys suffer from.
|
|
|
|
|
|
That said, there are serious issues with using OpenPGP here:
|
|
|
|
|
|
1. it's awfully complicated
|
|
|
2. it's brittle
|
|
|
3. it doesn't support "touch detection" (i.e. there is no user
|
|
|
feedback when the device requires a touch, other than the device
|
|
|
itself blinking, something that the FIDO2 applet solves, see [this
|
|
|
discussion](https://forum.yubico.com/viewtopicff3d.html?f=35&t=2397&p=9869) and [this tool](https://github.com/maximbaz/yubikey-touch-detector) for a workaround)
|
|
|
|
|
|
### Why GnuPG
|
|
|
|
|
|
See [our OpenPGP docs]() for that discussion.
|
|
|
|
|
|
### Implementation details
|
|
|
|
|
|
The stack we going to setup is as follows:
|
|
|
|
|
|
1. YubiKey (hardware)
|
... | ... | |