Hi,
On Sun, 2024-03-31 at 14:34 +0200, Pierre-Elliott Bécue wrote:
> The PGP submodule of a Yubikey can host 3 keys, one signing, one
> authent, and one encrypt. ISTR accessing the signing key is always
> prompting for the PIN. Same for the encryption key. (I think both can
> be configured otherwise)
I think presence confirmation is more useful, that is, interacting
physically with the device for each signature. The Yubikey can do that
also for OpenPGP:
```
$ ykman openpgp keys set-touch --help
[...]
Touch policies:
Off (default) no touch required
On touch required
Fixed touch required, can't be disabled without deleting the
private key
Cached touch required, cached for 15s after use
Cached-Fixed touch required, cached for 15s after use, can't be disabled
without deleting the private key
```
(The PIN can still be cached.)
For OpenSSH it might also be more convenient to use Webauthn, that is,
the keys generated using `ssh-keygen -t ed25519-sk` or `-t ecdsa-sk`.
Ansgar
>
