Ingo-Albrecht

Yes, I understand the zip creation has to trail the release of the firmware(s) and is a service to pick the correct image. A separate hash file would be ok,...

Thanks, having it available for a manual hash-check works fine for me. Once it's decided how to handle it in the future, I can make a suggestion perhaps. As far...

The Nitrokey 3 (main token used for heads, with reverse-hotp support) does have PIV slots as well, i.e. you can use both with it. If you skip reverse-hotp, yubico tokens...

There are no HOTP codes to gather, replay is not a feasible scenario. There are attacks to extract the HOTP secret from a token (like there are attacks for any...

Please see the beginning of the doc link again. Heads inferfaces its reverse-HOTP reply, the verification against secret is done in the token (green/red LED). Let's not forget the user...

The reference by @tlaurion to HOTP was to show a single token is employed for multiple purposes. It's a widely used optional (yes) convenience (yes) feature of the firmware and...

> @clinkist @Ingo-Albrecht is this misunderstanding stemming from https://github.com/linuxboot/heads-wiki/pull/203 having become too high level? This issue shows how an answer to a high level question triggers detail questions that remain...

I'd like to inject a focus on the "HOTP concerns" title once again. @clinkist playbook starts by using a malicious token capable of faking a reply to heads to obtain...