Massyn wrote:
Hi guys,
I would propose that for developers, how about including the AES key printed on the invoice being included with the shipping? I would not want to get it through the web, for the risk of someone hijacking my OTP and getting the AES key before me.
For large quantities, I would prefer a secure https web delivery method, where 1 of the Yubikey's in the package should be a "special" one that is required to unlock the website, call it a bright shiny red Admin key, not for general use, simply for the admin page on Yubico. When ordering a few hundred keys, having 1 extra for admin purposes wouldn't be a problem.
Cheers
Phil Massyn
I definitely agree to what Phil said. It can not be that someone can just use one or two OTP's of a YubiKey and get the full AES key. It doesn't matter by what means (https, PGP, etc)! That's just not secure, and we talk about security if we talk about the YubiKey. It would undermine the security of all YubiKey's out there.
The proposal of Phil's is probable a feasible and secure way and it assures that only the receiver of one or a bunch of YubiKey's can get access to the original AES key's. The process described is pretty secure and it addresses single key handling as well as high volume handling with the 'red-key'.
Of course, at the current state it might be that in some exceptions the 'current process' is applied. But for the future, a secure process needs to be implemented.
Login
FAQ
Search
