The VID/PID Problem of Gnuk Devices
NIIBE Yutaka
gniibe at fsij.org
Tue Feb 6 02:45:10 CET 2018
Hello,
> Recently, we are working on a project to assemble a small quatity (around
> 10 pieces) of homemade FST-01 compatible hardware tokens. We intended
> to distribute this token as a gift for our members, contributors and
> friends.
>
> We also planned to sell these tokens with preloaded Gnuk firmware
> (again, in small quatities), for several reasons. First, since SeeedStudio
> no longer sells the original FST-01 tokens, for local users who need
> them, getting it from a local Linux User Group is much more convenient
> than ordering it from any remote vendors. Second, it can be a good
> opportunity to promoto the use of free software and cryptography. Third,
> it would also allow us to recover a portion of the fabrication costs
> to ensure the balance of our limited budgets. Finally, we also hope the
> act of making, using and distributing self-assembled Gnuk tokens would
> encourage the decentralization of the supply of cryptographic devices.
Great. That's exactly what wanted to do many times, at many times. But
I was unable to achieve that goal by myself. I only had a Gnuk workshop
(with five people or so) in Japan. Currently, the distribution channel
is only FSF shop and me in person.
I am pleased that you are going to do.
> In conclusion, I have three questions, first, how to patch GnuPG and
> PC-SC to make them recongize it as a card reader with customized VID/PID?
As upstream GnuPG developer, I think that no changes are required for
GnuPG scdaemon itself, for a token with customized VID:PID. All that we
need is configuration for accessing the hardware, in a distribution; For
example, in Debian, we have an entry for Gnuk Token (of FSIJ):
https://anonscm.debian.org/git/pkg-gnupg/gnupg2.git/tree/debian/scdaemon.udev
For PC/SC, you can send the information to upstream:
http://pcsclite.alioth.debian.org/ccid.html#CCID_compliant
But, IIRC, it is not mandatory condition to use PC/SC reader.
Please note that for GNU/Linux machines, PC/SC is not required, we can
just use in-stock CCID driver of GnuPG which accesses directly using
libusb.
Please try some experiments with customized VID:PID.
Well, I'm afraid... some changes are needed for scripts in Gnuk.
VID:PID is hard-coded at some places. And the VID:PID is assumed in
some examples in documents.
> And what is the easiest way to solve the interoperability problem?
For Gnuk Token with customized VID:PID, while Nitrokey had an
experience, I suppose, we don't know the detail. So, I think that you
need to pursue by yourself. Sure, we will help.
> I've read that FSIJ may accept 3rd-party to use the FSIJ's VID as
> an authorized "second-source manufacturer", is it possible for us to
> apply?
Yes. I'll ask to members if it will be acceptable.
> Also, if we decided to use our own VID/PID in the end, is there a way
> to avoid this nasty interoperability problem on existing systems?
While I haven't identified the problems, it's not that hard, if any.
--
More information about the Gnuk-users
mailing list