i think that your thoughts/documentation might exceed what is actually existing within a code - in particular:
- i cannot find a way to force HMAC for VAL => KSM communication
For VAL->KSM communication, I would recommend an encrypted+authenticated virtual network connection (TLS, SSH port forwarding, IPSEC, OpenVPN or similar).
- i cannot find a way to enforce HMAC between auth-client and VAL server (if i omit a key in request, VAL is *not* refusing to reply)
You are right that HMAC keying is optional. If there is a need, this could easily be changed in the server code, so that HMAC is always required.
- i cannot find a way to make php-curl (used by VAL server) verify certs, thus i'm unable to secure VAL => KSM communication - no visible trace of curl_setopt(..., CURLOPT_CAINFO, ...) definition in project (i've been using this version: yubikey-val-2.1-0.5). actually it's even worse - the whole verification is deliberately turned off with: ykval-synclib.php: curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
You could use any of the ideas above (TLS, SSH, etc), or help us improve the code here.
- i cannot find a way to make yubico-c-client (used ie. by pam_yubico module) verify certs, again - no trace of CURLOPT_CAINFO in ykclient library (versions used: ykclient-2.3 and pam_yubico-2.1)
It supports HMAC though. Making it support HTTPS would be a very useful addition.
should i fork your code?
Please send a patch instead! Most of our code is developed as a google code project, so you can easily find bug reports and even provide patches to implement some missing features.
i think hacking organization's dns is currently sufficient to break whole yubico infrastructure trust.
Hacking DNS will lead to a Denial-of-service, but to really do harm against properly configured clients I believe you need the server certificate private key or HMAC shared secrets.
I hope these answers help a small bit. We are aware that not all projects are in perfect condition (or, rather, I think you can find things to improve on all of our projects), but we hope that you and others will help us get things right in the long run.