Yubikey NEO OpenPGP advisory

Willy Witfood willy.witfood at mailbox.org
Mon Apr 27 13:38:14 CEST 2015

On 04/27/2015 12:36 PM, Peter Lebbing wrote:
> On 27/04/15 11:43, MFPA wrote:
>>> But I suppose it could work if you only use the NFC
>>> functionality when you're in a safe environment such as
>>> your own home.
>> Presumably that would mean keeping your card in an RFID-proof wallet
>> or tin when out and about.
> Well, if the PIN protection actually works (unlike in the affected
> Yubikeys) and you only enter the PIN in an environment where you're sure
> nobody is sniffing the over-the-air data, I suppose you could decide to
> rely on the fact that your PIN is still secret, preventing access to
> unauthorized people.
> Peter.


whether this is a big or minor issue really depends on the use case.
In my opinion the perfect use case for the yubikey NEOs OpenPGP is to
respond quickly to confidential but not extremely sensitive email in all
environments which includes mobile phones. Here it's still significantly
better to use one with the vulnerability then the most common
alternatives: storing the key on the phone or using plaintext email.

Ideally I would like to have one identity with multiple subkeys which
also communicate multiple use cases, say

1) confidential: subkey on a yubikey NEO
2) secret: subkey on a smart-card with an independent card-reader with a
3) top secret: offline key

Then the sender could select the right one for the message.


More information about the Gnupg-users mailing list