Tom2 wrote:
Thank you for the reference. I notice that none of the OpenPGP specs (v1.0, 2.0, 3.0) actually include setting the retry counter to a specific value. They only say that at the reset it should return to the default.
However I find it very convenient and user-friendly that NEO extends this and allows me to set it to (say) 5 instead of 3, because (a) this is the policy where I employ it, and (b) it is perfectly convenient for me. So I'm very much disappointed that Yubico decided to get "strict" with Yubikey 4. There doesn't seem to be a reason (nor a need) for it.
UpdateIt is understandable why the standard may want to preclude
users from being able to change the retry counter. Preventing the
organizations that own and deploy such devices from setting whatever policy on the number of retries they see fit, seems very wrong - and I've yet to see a standard explicitly demanding this.