Yubico Forum

Re: [SOLVED] Disable 6 second delay for openpgp touch prompt

2017-10-08T22:42:46+01:00

Ok, since it seems it's working for you without the 6 second delay, I just de- and then re-activated the touch feature, and now it seems to work immediately. This was on MacOS, btw.

Statistics: Posted by goerz — Sun Oct 08, 2017 10:42 pm

Re: [QUESTION] Disable 6 second delay for openpgp touch prom

2017-10-08T21:49:19+01:00

I have tracked it down: https://developers.yubico.com/yubikey-m ... /Releases/

I did:

Code:

C:\Program Files (x86)\Yubico\YubiKey Manager>ykman openpgp touch aut on
Current touch policy of AUTHENTICATE key is OFF.
Set touch policy of AUTHENTICATE key to ON? [y/N]: y
Enter admin PIN:
Touch policy successfully set.

C:\Program Files (x86)\Yubico\YubiKey Manager>ykman openpgp touch enc on
Current touch policy of ENCRYPT key is OFF.
Set touch policy of ENCRYPT key to ON? [y/N]: y
Enter admin PIN:
Touch policy successfully set.

C:\Program Files (x86)\Yubico\YubiKey Manager>ykman openpgp touch sig on
Current touch policy of SIGN key is OFF.
Set touch policy of SIGN key to ON? [y/N]: y
Enter admin PIN:
Touch policy successfully set.

Then I unplugged and plugged back in. Now as soon as I type in my pin to sign, it sits there forever waiting. So then I press the button and it works. I repeat, same thing only I can press it as soon as I want and it will complete. same with decrypting things, I enter my pin and tough the contact on the Yubikey, else it sits there, presumably until it times out or something. I like this feature and it should be part of the normal personalisation tool in my opinion.

If you are using linux, perhaps there is a difference between that and the windows version? It is BETA after all, so I don't know what else to tell you. I am going to leave the feature disabled I think though, because if I cannot protect my Neo with it, I do not want to the false sense of security that could come from relying on this and forgetting when I use the Neo. But if it were available on both, I would leave it enabled.

Statistics: Posted by Morthawt — Sun Oct 08, 2017 9:49 pm

Re: [QUESTION] Disable 6 second delay for openpgp touch prom

2017-10-08T21:16:47+01:00

I cannot find the download link for it. I am on windows. What would I need to experiment with this any way?

Statistics: Posted by Morthawt — Sun Oct 08, 2017 9:16 pm

Re: [QUESTION] Disable 6 second delay for openpgp touch prom

2017-10-08T21:15:33+01:00

I don't know, it seems a bit dodgy to me. I can understand, maybe, a full reset of the OpenPGP applet being command-liny and complex looking but if you have to use scripts and things to enable a "feature" it seems more like a beta or test feature than something that Yubico expect users to do. I have been all over the personalisation tool and I have seen no mention anywhere of this. I would be concerned about wrecking something. Does this work on a new Neo too? If this is something I can experiment without breaking either my 4 or Neo then I might give it a try and let you know what happens.

Statistics: Posted by Morthawt — Sun Oct 08, 2017 9:15 pm

Re: [QUESTION] Disable 6 second delay for openpgp touch prom

2017-10-08T20:11:51+01:00

It's a feature that was introduced on the Yubikey 4 (off by default), and is documented at e.g. https://developers.yubico.com/PGP/Card_edit.html. Personally, I found that it's most easily configured using the ykman command line utility (https://github.com/Yubico/yubikey-manager), rather than through the shell script linked in the documentation. In any case the documentation does not mention that there should be any delay.

Statistics: Posted by goerz — Sun Oct 08, 2017 8:11 pm

Re: [QUESTION] Disable 6 second delay for openpgp touch prom

2017-10-08T13:43:32+01:00

Is that an undocumented feature? I have never seen that listed anywhere. I need to press my finger to get a TOTP from the authenticator app but openPGP needs nothing other than my pin.

Statistics: Posted by Morthawt — Sun Oct 08, 2017 1:43 pm

[SOLVED] Disable 6 second delay for openpgp touch prompt

2017-10-08T22:44:30+01:00

I've set up an OpenPGP key on my YubiKey4, and also activated the setting that I have to confirm any use of the key by pressing it (via the command line utility

Code:

ykman openpgp touch aut ...

). However, whenever I issue a GPG command, there is about a 6 second delay before the YubiKey starts flashing (indicating that it's ready for my finger). More specifically, the YubiKey flickers once (very quickly) immediately after I issue the GPG command, then once more at about 3 seconds, and then start slow-flashing after 6 seconds (for 15 seconds, until it times out).

If I touch the key before the 6 seconds, it enters the OTP password.

Is there any way to configure the key so that I can touch it immediately after issuing the GPG command? Six seconds feels like an eternity on the command line!

Statistics: Posted by goerz — Sun Oct 08, 2017 12:42 am