nanog mailing list archives
Re: South Africa On Lockdown - Coronavirus - Update!
From: Michael Loftis <mloftis () wgops com>
Date: Mon, 23 Mar 2020 20:32:32 -0600
On Mon, Mar 23, 2020 at 19:25 Owen DeLong <owen () delong com> wrote:
I confess I haven’t investigated the implementation details, but is it possible for one to issue ubikeys to an employee in a secure way with those features disabled?
Yes. And changing that setup either requires a separate admin pin or wiping the associated private key data to reconfigure. It depends on which application/mode. FIDO I believe is most inflexible here as it can only be short touch to activate. I don’t use the HID keyboard mode OTP keying app/feature so I’m not terribly familiar with that. It might be that it can be configured limited such that N in X seconds or a replug is required (to circumvent the timer) but I really do not know. If people are really curious I can grab a spare key and check. I use the CCID/smart card type modes. I do know that the touch OTP key feature requires wiping the associated private key data, or having it available to reprogram and change options. They’re a shared secret mode so the yubikey authentication server has those private keys.
It’s the allowing the employee to make a poor choice not necessarily desired by the employer thing that seems to me is the issue in this case. I agree that this abuse of the UBI Key is more an issue of implementation than the inherent nature of the UBIKEY, but the UBIKEY does allow this kind of abuse in ways that other tokens don’t facilitate. That's like saying that cars are worse than bicycles, because cars allow you drive into things are a more dangerous speed. I mean, yes, but …. Cars are more dangerous than bicycles, but everything is a matter of balancing tradeoffs. In this case, I’m not sure the ubikey offers anything over the Secur-ID to balance that increased hazard. Owen --
"Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds." -- Samuel Butler
Current thread:
- Re: crypto frobs, (continued)
- Re: crypto frobs John Covici (Mar 24)
- Re: crypto frobs John Kinsella (Mar 24)
- Re: crypto frobs Tom Beecher (Mar 24)
- Re: crypto frobs Rob Seastrom (Mar 24)
- Re: South Africa On Lockdown - Coronavirus - Update! Michael Loftis (Mar 23)
- Re: South Africa On Lockdown - Coronavirus - Update! Warren Kumari (Mar 23)
- Re: South Africa On Lockdown - Coronavirus - Update! Owen DeLong (Mar 23)
- Re: South Africa On Lockdown - Coronavirus - Update! Warren Kumari (Mar 23)
- Re: South Africa On Lockdown - Coronavirus - Update! Owen DeLong (Mar 23)
- Re: South Africa On Lockdown - Coronavirus - Update! Christopher Morrow (Mar 23)
- Re: South Africa On Lockdown - Coronavirus - Update! Michael Loftis (Mar 23)
- Re: South Africa On Lockdown - Coronavirus - Update! Joshua D'Alton (Mar 24)
- Re: South Africa On Lockdown - Coronavirus - Update! Mark Tinka (Mar 24)
- RE: South Africa On Lockdown - Coronavirus - Update! Keith Medcalf (Mar 23)
- Re: South Africa On Lockdown - Coronavirus - Update! Mark Tinka (Mar 23)
- Re: South Africa On Lockdown - Coronavirus - Update! Eric Tykwinski (Mar 23)
- RE: South Africa On Lockdown - Coronavirus - Update! Keith Medcalf (Mar 23)
- Re: South Africa On Lockdown - Coronavirus - Update! Michael Thomas (Mar 23)
- Re: South Africa On Lockdown - Coronavirus - Update! Tom Beecher (Mar 23)
- Re: South Africa On Lockdown - Coronavirus - Update! Eric Tykwinski (Mar 23)
- Re: South Africa On Lockdown - Coronavirus - Update! Christopher Morrow (Mar 23)