The VID/PID Problem of Gnuk Devices

NIIBE Yutaka gniibe at fsij.org
Tue Feb 6 02:45:10 CET 2018


Hello,

> Recently, we are working on a project to assemble a small quatity (around
> 10 pieces) of homemade FST-01 compatible hardware tokens. We intended
> to distribute this token as a gift for our members, contributors and
> friends.
>
> We also planned to sell these tokens with preloaded Gnuk firmware
> (again, in small quatities), for several reasons. First, since SeeedStudio
> no longer sells the original FST-01 tokens, for local users who need
> them, getting it from a local Linux User Group is much more convenient
> than ordering it from any remote vendors. Second, it can be a good
> opportunity to promoto the use of free software and cryptography. Third,
> it would also allow us to recover a portion of the fabrication costs
> to ensure the balance of our limited budgets. Finally, we also hope the
> act of making, using and distributing self-assembled Gnuk tokens would
> encourage the decentralization of the supply of cryptographic devices.

Great.  That's exactly what wanted to do many times, at many times.  But
I was unable to achieve that goal by myself.  I only had a Gnuk workshop
(with five people or so) in Japan.  Currently, the distribution channel
is only FSF shop and me in person.

I am pleased that you are going to do.

> In conclusion, I have three questions, first, how to patch GnuPG and
> PC-SC to make them recongize it as a card reader with customized VID/PID?

As upstream GnuPG developer, I think that no changes are required for
GnuPG scdaemon itself, for a token with customized VID:PID.  All that we
need is configuration for accessing the hardware, in a distribution; For
example, in Debian, we have an entry for Gnuk Token (of FSIJ):

    https://anonscm.debian.org/git/pkg-gnupg/gnupg2.git/tree/debian/scdaemon.udev

For PC/SC, you can send the information to upstream:

    http://pcsclite.alioth.debian.org/ccid.html#CCID_compliant

But, IIRC, it is not mandatory condition to use PC/SC reader.

Please note that for GNU/Linux machines, PC/SC is not required, we can
just use in-stock CCID driver of GnuPG which accesses directly using
libusb.

Please try some experiments with customized VID:PID.

Well, I'm afraid... some changes are needed for scripts in Gnuk.
VID:PID is hard-coded at some places.  And the VID:PID is assumed in
some examples in documents.

> And what is the easiest way to solve the interoperability problem?

For Gnuk Token with customized VID:PID, while Nitrokey had an
experience, I suppose, we don't know the detail.  So, I think that you
need to pursue by yourself.  Sure, we will help.

> I've read that FSIJ may accept 3rd-party to use the FSIJ's VID as
> an authorized "second-source manufacturer", is it possible for us to
> apply?

Yes.  I'll ask to members if it will be acceptable.

> Also, if we decided to use our own VID/PID in the end, is there a way
> to avoid this nasty interoperability problem on existing systems?

While I haven't identified the problems, it's not that hard, if any.
-- 



More information about the Gnuk-users mailing list