-
just got my solo2 a few days ago and i love the new interface. im the envy of the cube farm! I also have other serious questions about the decision to support PIV at all...
hoping someone can help improve my understanding of the direction of solo on the PIV effort as GPG seems far more actively developed and continental. |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 8 replies
-
Glad you like it! Yes, PIV is still unfinished and hence disabled.
PIV is not "encumbered", whatever that means. It's an open standard:
There are multiple open source implementations of PIV as a JavaCard applet:
I agree this can be improved. Though they're focused on "Yubico PIV", there are https://github.com/go-piv/piv-go in go and https://docs.rs/yubikey in Rust; I believe Tony is interested in supporting our PIV app once it's ready. makinako's project wiki has a description of his approach, Yubico obviously have their own approach. I'm not the biggest fan of OpenSC; but they are currently trying to implement "secure messaging" according to the PIV standard (OpenSC/OpenSC#2053), which I'd say is a prerequisite for allowing creating/manipulating sensitive objects.
I think you're mixing up a few things. FIPS certification (FIPS 140) is indeed an abomination; it's unlikely we will pursue this (makinako is going to try for OpenFIPS201).
There are very many reasons why PGP is not a good idea in 2022 (you can Google for the many loud and not so loud voices banging on this point); you may or may not agree, but I am not interested in continuing this part of conversation. Nitrokey is planning a PGP app; if and when it exists, we'll make it possible to use it on SoloKeys hardware (this interoperability is the main reason we split out Trussed). Assuming one agrees with "no PGP", looking around the ecosystem there aren't very many candidates: ISO applet (https://github.com/philipWendland/IsoApplet, (https://globalplatform.org/specs-library/iso-framework-v1/) meaning "take PKCS 15 literally and implement it as a smartcard applet", GIDS (https://docs.microsoft.com/en-us/windows-hardware/drivers/smartcard/windows-inbox-smart-card-minidriver, https://github.com/vletoux/GidsApplet) which is the "other" app natively supported by Windows, intended to solve the provisioning problem compared to PIV. But that's about it, and they're both kinda niche. I think it's more helpful to share why I personally am a PIV "fan" (comparatively, I've spent enough time with it "in anger" too).
Downsides of PIV in my view:
It would be kind of nice to greenfield everything clean and fresh from scratch, but then we're just creating new vendor lock-in. So while I think there might be a more greenfield HSM-style app in the future, doing something that tries to fit in with the existing ecosystem seems more fruitful to start with. For these downside topics, I'm in conversation with the other two open source implementations linked above, to try and find ways for "open source PIV" to converge on solutions. Two further remarks:
|
Beta Was this translation helpful? Give feedback.
-
Hey, I'm not sure what GitHub Discussion etiquette is, but there are two "answered" topics and I'm pretty sure I opened one long ago so I'm reluctant to start a new topic... ... is it safe to assume that with manufacturing underway and a FIDO2-related firmware update coming that PIV support might be back on the roadmap? (separately, but again don't want to make a new topic, are y'all interested in outside contributions? I'm overly obligated, but I keep coming back once a month and will eventually run out of projects. I of course understand "life" and other obligations, but a timeline or even a rough priority list, or a list of issues that are open to external contributors might be helpful.) (final note, fwiw, I mostly want PIV since I can't have OpenPGP, not that I love GPG...) |
Beta Was this translation helpful? Give feedback.
Glad you like it!
Yes, PIV is still unfinished and hence disabled.