Verified Commit 08119a4b authored by anarcat's avatar anarcat 💥
Browse files

document my actual touch policy first

Onboarding @lelutin (tpo/tpa/team#41599), I realized I was telling him
"oh just follow the later thing" so that means I need to tweak the
guide.
parent 922ba4cc
Loading
Loading
Loading
Loading
+24 −25
Original line number Diff line number Diff line
@@ -675,16 +675,35 @@ are marked `sec>` and `ssb>`, not `sec` and `ssb`.
This is optional.

You may want to change the touch policy. This requires you to touch
the YubiKey to consent to cryptographic operation. Here's one policy,
for example:
the YubiKey to consent to cryptographic operation. Here is a full
touch policy:

    ykman openpgp keys set-touch sig on
    ykman openpgp keys set-touch enc on
    ykman openpgp keys set-touch sig cached
    ykman openpgp keys set-touch enc cached
    ykman openpgp keys set-touch aut cached

NOTE: the above didn't work before the OpenPGP keys were created, that
is normal.

The above means that touch is required to confirm signature,
encryption and authentication operations, but is cached 15
seconds. The rationale is this:

 * `sig on` is absolutely painful if you go through a large rebase and
   need to re-sign a lot of commits
 * `enc on` is similarly hard if you are decrypting a large thread of
   multiple messages
 * `aut` is crucial when running batch jobs on multiple servers, as
   tapping for every one of those would lead to alert fatigue, and in
   fact I sometimes just flip back `aut off` for some batches that
   take longer than 15 seconds

Another policy could be:

    ykman openpgp keys set-touch sig on
    ykman openpgp keys set-touch enc on
    ykman openpgp keys set-touch aut cached

That means:

 1. touch is required to confirm signatures
@@ -692,11 +711,6 @@ That means:
 3. touch is required to confirm authentication, but is cached 15
    seconds

The latter merits some explanation. I operate a lot of servers, and
sometimes run batch commands on many of them at once. Tapping for
every one of those would lead to alert fatigue and be extremely
annoying. The 15 seconds delay is a good compromise.

You can see the current policies with `ykman openpgp info`, for
example:

@@ -730,22 +744,7 @@ after a delay, respecting the `default-cache-ttl` and `max-cache-ttl`
settings from `gpg-agent.conf`, but alas this do not currently take
effect.

Ultimately, I ended up setting all to `cached`:

    ykman openpgp keys set-touch sig cached
    ykman openpgp keys set-touch enc cached
    ykman openpgp keys set-touch aut cached

The rationale is this:

 * `sig on` is absolutely painful if you go through a large rebase and
   need to re-sign a lot of commits
 * `enc on` is similarly hard if you are decrypting a large thread of
   multiple messages
 * `aut` is mentioned above, and in fact I sometimes just flip back
   `aut off` for some batches that take longer than 15 seconds

It should be noted that the `cache` setting is a 15 seconds delay
It should also be noted that the `cache` setting is a 15 seconds delay
*total*: it does *not* reset when a new operation is done. This means
that the entirety of the job needs to take less than 15 seconds, which
is why I sometimes completely disable it for larger runs.