Public key stored on your yubikey or even generated with it is the advantage
I believe so but to use fido 2 to do so you need to use token based encryption
2 Likes
Unfortunately folks my time available to work on stuff that I prior made is basically at an all time low. Anything you wish to contribute and add and you feel is useful… You can just edit the wiki post (original post) and add it.
I wanted to make a script for handling all the different kinds of keys but that scope just grew well beyond my ability to keep up lol
It seems that there are a crazy variety of security keys cropping up
Ive bought some nitro keys in an attempt to figure them out in depth (the newest models support ed25519) but I havent had time.
3 Likes
If you don’t mind I’ll ping you directly to glean more details on the “latest” stuff, as I’m keen to learn as well - and will do my best to contribute here as well 
2 Likes
Replying to this thread is fine. Im generally monitoring it. The effort to alter it rn is not something I want to tackle because it may be a rewrite
Oops - the forum said DMs are blocked. If you’re open to a DM chat please ping me via an email to [email protected] as I’d love to pick your brains on the latest out there etc.
Got it
Would you be able to check if your personalization tool works for the 5C cards? https://www.reddit.com/r/yubikey/comments/1e140jo/yubikey_not_being_recognized_by_personalization/
Testing on Mac, let me try the linux box…
Update: I found this personalization tool is broken on latest Mac, I also compiled both the yubikey tools from their respective Github repos - this was important to find latest updated info on downloading required dependencies etc.
├── yubikey-manager-qt
│ ├── https://github.com/Yubico/yubikey-manager-qt.git
└── yubikey-personalization-gui
└── https://github.com/Yubico/yubikey-personalization-gui.git
1 Like
Just to double check, it’s OK to have the signing key expire after a year right? It just means I need to regenerate new S/E/A keys each year. What’s important is for the core Certificate (C) key to not expire.
Right?
Reason I ask is that I’ve mainly seen the main key generated as a “SC” combined key.
2 Likes
Yes that is correct as far as I know
Usually it is primarily because most people arent fips compliant and dont need to be (separate cert and signing key)
2 Likes
2 Likes
Authentication tokens (like FIDO hardware devices) primary goal is to fight the scourge of phishing attacks. The EUCLEAK attack requires physical access to the device, expensive equipment, custom software and technical skills. Thus, as far as the work presented here goes, it is still safer to use your YubiKey or other impacted products as FIDO hardware authentication token to sign in to applications rather than not using one.
Per article
2 Likes