Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 1:34 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 4 posts ] 
Author Message
PostPosted: Fri Jul 29, 2016 10:22 pm 
Offline

Joined: Fri Jul 29, 2016 8:30 pm
Posts: 7
Hello Yubico users,

I have had good success installing OpenPGP keys on my new Yubikey 4. Then I got it to work with gpg-agent and with SSH. It's actually pretty cool and gives me a lot of confidence that, even if my client computer is thoroughly compromised, at least no one will get an SSH private key.

Now I would like to set up a similar level of security for my IMAP (Dovecot) and SMTP-Submission (Postfix) users.

The two ways to go are OTP or TLS client certs. Actually it looks like TLS client certs may be easier for users.

The problem is that to use them, I probably need to set up a private CA. I can do that, if that's the right way to go.

Does anyone have guidance on how to approach this? It would be very nice if Yubico would run an accredited CA that could sign client certs. Then we would not need to set up an entire CA for this purpose. Any other suggestions?

Thanks!


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Mon Aug 01, 2016 10:24 am 
Offline
Site Admin
Site Admin

Joined: Mon Dec 08, 2014 2:52 pm
Posts: 314
I'd go for TLS certs, you can use Yubico-piv-tools to manage a CA on the YubiKey
TLS certs usually have very good support... e.g. you can only allow certain clients to connect if their CA is X or if the cert fingerprint is Y


Top
 Profile  
Reply with quote  
PostPosted: Tue Aug 02, 2016 1:38 am 
Offline

Joined: Fri Jul 29, 2016 8:30 pm
Posts: 7
Yes, that's what I'll do. The only hassle is, it means I need to create a CA. Which is really not that bad. I've done it before. I just would prefer not to.

If I'm using the Yubikey for OpenPGP, with gpg-agent, and for PIV, with PKCS11, can I use both of those at the same time? My SSH connection might need to use gpg-agent/OpenPGP, and then my email client might need to use PKCS11, in quick sequence. Can it handle this type of thing, or will it get confused? The other possibility is to make SSH use PKCS11. Is that better?

I'm trying to figure out the best approach.

With some help, I did get Prosody XMPP server to use Yubikey OTP, and that was cool.

I really wish RFC 6091 had happened. It would be the obvious solution. Everything uses gpg-agent, no need for creating a CA to issue user keys.

Thanks


Top
 Profile  
Reply with quote  
PostPosted: Wed Aug 03, 2016 8:58 am 
Offline
Site Admin
Site Admin

Joined: Mon Dec 08, 2014 2:52 pm
Posts: 314
Have you checked this?
https://developers.yubico.com/yubico-pi ... ority.html


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 10 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group