Enable KDF-DO on a populated GNUK
Szczepan Zalega | Nitrokey
szczepan at nitrokey.com
Thu Jan 28 10:56:08 CET 2021
On 1/28/21 3:56 AM, NIIBE Yutaka wrote:
> KDF-DO should be used, that is common practice for using Gnuk.
>
> Szczepan Zalega wrote:
>> From my tests it turned out that currently with the recent GNUK 1.2.15
>> and GnuPG 2.2.25 it is not possible to set up a KDF-DO on a populated /
>> personalized device (with keys). As a user I would like to have such
>> option, so I would not be forced through factory reset.
>
> No, it's not possible for Gnuk. Originally, when it was proposed, it
> was designed/implemented that KDF-DO setup should be done with no key
> materials. And Gnuk keeps this constraint.
>
> (...)
> Rather, for me, it makes sense to go opposite direction, instead; ... to
> refuse keytocard/key-generation when KDF-DO is not available.
>
I see. That sounds like a good idea. We have left normal PIN use
available due to a compatibility reasons (with longer length required),
but perhaps indeed it should be faded out in the future in favor of KDF-DO.
Thank you for the clarification!
Best regards,
Szczepan
--
Szczepan Zalega
Senior Software Developer
Nitrokey GmbH
https://www.nitrokey.com
Email: szczepan at nitrokey.com
Nickname: szszszsz
Rheinstr. 10 C, 14513 Teltow, Germany
CEO / Geschäftsführer: Jan Suhr
Register: AG Potsdam, HRB 32882 P
VAT ID / USt-IdNr.: DE300136599
More information about the Gnuk-users
mailing list