Yubico Forum

Hi,

Is the Yubikey NEO piv applet usable with a contact-less CCID reader?

According to your statement: "Currently all functionality are available over both contact and contactless interfaces (contrary to what the specifications mandate)."
I'm guessing yes. In our production environment, some users require three distinct certificates, for authentication.

Can you please verify in what way, if any, you plan to change the current functionality?
eg. Will all certificate slots be available for both usb and contact-less reading?

Currently it seems all certificate slots, in usb reading requires the pin,
is this also the case in contact less reading?

Are you planning on changing the pin requirement in either contact and / or contact-less reading
for any of the slots in the future?

Can you name 1 or 2 contact-less usb CCID readers that work in your experience, also under windows.
Perhaps omnikey 5321 v2 ?

We have been able to store, and do windows logon, with certificates stored in the following slots:
9a, 9d and 9e - however pin was always checked, this was using contact interface - is this expected behavior?

According to below output from piv tool, pin should never be checked with slot 9e?
9a is for PIV Authentication
9c is for Digital Signature (PIN always checked)
9d is for Key Management
9e is for Card Authentication (PIN never checked)

We have not been able to authenticate, using windows logon with a certificate stored in slot 9c, do you know why?
-eg the certiface does not show.

Hello,

Replies follow inline below..



Yes.



There are no stated plans in this regard, but the current behaviour is in violation of the PIV spec. We might make a bit that can be toggled with the auth key or something like that. If a standard secure messaging implementation gets builtin for host-side software we will probably implement that and might enforce it for contactless functionality.



Yes, the applet does not check whether it's used in contact or contact-less mode. The 9e slot does not require pin for the authenticate operation.



I think this has been discussed on the forum earlier.. : viewtopic.php?f=26&t=1345&p=5070
The Omnikey 5321 works fine but is a bit bulky if you only want a contactless reader. Genereally any standard reader should work, but we've not had the opportunity yet.



For 9e pin is not required, but this might be a windows thing that it always checks the pin. 9c should work but windows could restrict usage of 9c to signature operations and not allow it for authentication (if one is to think more on it 9d shouldn't be used for authentication either, only decryption)

/klas