Crowdfunding USB Security Key for Email- and Data-Encryption - Nitrokey Storage

[Peter Lebbing]

On 21/11/15 09:00, Jan Suhr wrote:
> All serious findings are fixed already. Look for the "Note" at the end
> of each issue description.

I suppose by "serious" you mean "defined as 'Critical' in the pentest"?
There are unfixed issues with severity "High":

Firmware:
NK-01-008 OTP can be unlocked by replacing Smart Card (High)

Hardware:
NK-02-006 Micro SD and Smartcard Slots lack ejection switch (High)

Personally, I don't really see yet why the latter is so important;
however, gaining the ability to issue OTP's by simply inserting my own
OpenPGP card with my own PIN seems serious? Do I misunderstand it? Or is
it not part of the threat model because the attacker is unable to
extract the key used for OTP generation?

Anyway, thanks for all your work on the Nitrokey series! I think it's
great you put so much effort into creating these nifty devices.

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>