YubiKey-Guide
YubiKey-Guide copied to clipboard
drduh
Add mention of UIF (User Interaction Flag)
UIF is handy if you want to add that extra measure of ensuring a physical presence of a user before on of the 3 actions are taken.
- Sign
- Decrypt
- Auth
gpg --edit-card
...
UIF setting ......: Sign=off Decrypt=off Auth=off
...
gpg/card> admin
Admin commands are allowed
gpg/card> uif
usage: uif N [on|off|permanent]
1 <= N <= 3
gpg/card> uif 1 on
<enter master password>
gpg/card> uif 2 on
gpg/card> uif 3 on
gpg/card> list
...
UIF setting ......: Sign=on Decrypt=on Auth=on
...
Is there any additional documentation? How is this different than the touch policy?
GNUPG Manual
https://www.gnupg.org/documentation/manuals/gnupg.pdf https://gnupg.org/documentation/manuals/gnupg/gpg_002dcard.html
UIF N [on|off|permanent]
Change the User Interaction Flag. That flags tells whether the confirmation button of a token shall be used. n must in the range 1 to 3. "permanent" is the same as "on" but the flag can’t be changed anmore.
Documentation is extremely sparse and is not really explained in the GNUPG manual
My guess
I'm guessing that the UIF function is how the openpgp card specification handles the touch feature and that yubikey's "ykman openpgp set-touch aut on" is calling the same library function.
If someone can explain how this helps or makes the setup more secure, please reopen or send a PR.
If someone can explain how this helps or makes the setup more secure, please reopen or send a PR.
are you asking why enforcing touch (permanently, without the ability to disable) and indicating is more secure?
A smartcard/yubikey that is not configured to enforce touch would be considered less-secure because any requests from the host (such as decrypting password-store, or signing messages, or decrypting emails) could be automated by malware without the users consent.
Indication of this is definitely helpful in determining if a yubikey is configured properly.
