On 23/04/15 00:22, Jose Castillo wrote: > in the case of NFC, which is a big use case for the Yubikey
I hadn't considered NFC at all, it's good you brought it up. In fact, if sniffing reveals the PIN and my threat model includes physically nearby attackers, I wouldn't use it at all, whether it had PIN or not. But I suppose it could work if you only use the NFC functionality when you're in a safe environment such as your own home. It seems a comfortable way of using your crypto hardware. As long as you only worry about attackers that are elsewhere. A similar scenario from real life: Right now, they're rolling out a payment system here in The Netherlands where you only need to tap your bank card to the payment terminal to do small payments. That's all that is needed. Or, since everything is relative, where an employee of the shop you're in only needs to tap the payment terminal to your wallet as they accidentally bumps into you. So I'm still looking for a sturdy yet practical metallic sleeve to put around the bank card as soon as they replace my non-NFC card with an NFC card :). The one I've seen looked to finnicky to remove your bank card from, which you do every time you need to pay in a shop... > Personally, I think that it’s unsafe to have a PGP key on an old > Yubikey that exhibits this vulnerability, which is why I submitted > it to the list. I agree. However, I seem to have been under the wrong impression that it was a matter of a software upgrade, and that we were merely assessing the risk that something had gone wrong before you did the upgrade. Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at <http://digitalbrains.com/2012/openpgp-key-peter> _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
