[ale] YubiKey + OSS PGP = Nope

James Sumners james.sumners at gmail.com
Wed May 18 09:59:29 EDT 2016


https://www.techdirt.com/articles/20160515/02094934446/bad-news-two-factor-authentication-pioneer-yubikey-drops-open-source-pgp-proprietary-version.shtml

"...Yubico, the company that makes them, hasdecided to drop an open
source implementation in its latest offering. After some people
started asking about this on GitHub a few days ago, Yubico's
Engineering Lead Dain Nilsson explained:

`The implementation is not open source, that is correct. We have both
internal and external review of our code to ensure that it is secure.
It's important to remember that open source code is no guarantee that
bugs/vulnerabilities will be detected as the bug you've linked to
demonstrates quite well. The bug was inherited from the upstream
project which ykneo-openpgp is based on, and was NOT detected by any
audit of the source code. It was interaction with the device itself
which led to its discovery.

We're all for open source, and we try to open source as much of our
code as possible when and where it makes sense, but in this case it
was determined not to be so. One reason is that on the YubiKey NEO,
each applet runs in its own sandbox, isolated from the rest of the
system and can be audited/reasoned about on its own. This is not the
case on the YubiKey 4, where each part of the system interacts with
several others. Another reason that ykneo-openpgp was implemented as
an open source project (aside from being able to leverage an existing
project) was that it was useful for others, as it can run on a variety
of devices. Again, this is not the case for the implementation running
on the YubiKey 4.`"

-- 
James Sumners
http://james.sumners.info/ (technical profile)
http://jrfom.com/ (personal site)
http://haplo.bandcamp.com/ (band page)


More information about the Ale mailing list