Yubikey NEO OpenPGP advisory
andreas.schwier.ml at cardcontact.de
Wed Apr 22 20:27:26 CEST 2015
On 04/22/2015 08:05 PM, Werner Koch wrote:
> On Wed, 22 Apr 2015 18:06, andreas.schwier.ml at cardcontact.de said:
>> And contrary to the Yubico position that this is a minor issue, I would
>> call the circumvention of the PIN mechanism a major issue. If you loose
>> the device, then you loose the key.
> You mean anyone can use the key, right. However, any simple malware can
> be used to sniff on a user entering the PIN. I doubt that most pinpad
> readers can protect against this: It is easy to trick most users into
> entering the PIN using the regular keyboard instead of the pinpad. In
> fact old version of GnuPG required this in certain cases.
Not sure about that. If I loose my card on the street or someone picks
it from my pocket or my PC, than that is different from a malware attack
which I can protect myself against.
I would consider this a major bug, in particular if I purchase a device
to get this specific kind of protection.
Imagine a bank, SIM or electronic signature card with a malfunctioning
PIN. Would you consider that a minor bug ? I don't see that this is
different for an OpenPGP card.
--------- CardContact Software & System Consulting
|.##> <##.| Andreas Schwier
|# #| Schülerweg 38
|# #| 32429 Minden, Germany
|'##> <##'| Phone +49 571 56149
More information about the Gnupg-users