The VID/PID Problem of Gnuk Devices

tomli at tomli.me tomli at tomli.me
Sun Feb 4 20:27:51 CET 2018 

Hello,

(TL;DR: start reading from the 5th-paragraph of the mail.)

I'm a core member from Beijing GNU/Linux User Group - an informal
association for advocating free and open source software and the
use of cryptography to protect users' freedom, security and privacy.

Recently, we are working on a project to assemble a small quatity (around
10 pieces) of homemade FST-01 compatible hardware tokens. We intended
to distribute this token as a gift for our members, contributors and
friends.

We also planned to sell these tokens with preloaded Gnuk firmware
(again, in small quatities), for several reasons. First, since SeeedStudio
no longer sells the original FST-01 tokens, for local users who need
them, getting it from a local Linux User Group is much more convenient
than ordering it from any remote vendors. Second, it can be a good
opportunity to promoto the use of free software and cryptography. Third,
it would also allow us to recover a portion of the fabrication costs
to ensure the balance of our limited budgets. Finally, we also hope the
act of making, using and distributing self-assembled Gnuk tokens would
encourage the decentralization of the supply of cryptographic devices.

I've already created our custom PCBs for these FST-01 tokens, the PCB is
a direct copy of the FST-01G design, with our logo and version number.
We've attributed Flying Stone Technology as the original designer, as
required by CC-BY-SA 3.0.

The only problem left is the VID/PID problem. We could distribute these
Gnuk tokens with our own VID/PID, but PC-SC and GnuPG would not recongize
these tokens as smartcard readers or OpenPGP Cards. We'll have to submit
patches to the upstream projects to include our IDs and wait for the
next release schedule.

Meanwhile, all users would also have to upgrade their local systems to
use the latest software packages, otherwise the Gnuk token will be an
unknown and unusable device on their systems.

This has severely limited the usefulness of these tokens, for example,
most people cannot use it since their systems don't recongize it
out-of-box, it will be a even bigger problems on specialized GNU/Linux
distros, such as a Tails LiveCD - the user may not have the chance
to upgrade at all.

In conclusion, I have three questions, first, how to patch GnuPG and
PC-SC to make them recongize it as a card reader with customized VID/PID?
And what is the easiest way to solve the interoperability problem?
I've read that FSIJ may accept 3rd-party to use the FSIJ's VID as
an authorized "second-source manufacturer", is it possible for us to
apply? Also, if we decided to use our own VID/PID in the end, is there
a way to avoid this nasty interoperability problem on existing systems?

Sincerely,
Tom Li
Beijing GNU/Linux User Group
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 851 bytes
Desc: Digital signature
URL: <https://lists.gnupg.org/pipermail/gnuk-users/attachments/20180205/14f99a58/attachment.sig>

More information about the Gnuk-users mailing list