[Gnuk-users] factory-reset

Jan Suhr jan at nitrokey.com
Wed Oct 12 07:43:44 UTC 2016 

Hello Niibe,

Am 12.10.2016 03:49, schrieb NIIBE Yutaka:
> Hello, Jan,
> 
> Thank you for your comment.
> 
> On 10/11/2016 04:58 PM, Jan Suhr wrote:
>> If in the future we ship the more attractive Gnuk 1.2 I'm afraid that
>> even more users will block their device. From my perspective it would 
>> be
>> much better if Gnuk behaves like original OpenPGP Card which can be
>> factory-reset without any PIN. Of course you have your good reasons to
>> built Gnuk as it is. Perhaps it would be a solution to provide a
>> compilation option to enable/disable device reset?
> 
> I understand your point:
> 
>     In the use case of distributing Gnuk for other users (who have no
>     experience), it is the most common failure mode.
> 
> OK, I'll add the factory reset feature of OpenPGP card to Gnuk with
> compile-time option.  Enabling the option is up to those who compile

That would be wonderful! Thank you very much.

> Gnuk to flash into a device.  A (power) user can upgrade the firmware
> by herself (with the feature disabled).
> 
> Personally, I also have a reason to introduce this compile-time
> feature: I don't know how we can remove keys from original OpenPGP
> card, other than by the factory reset.  Factory reset would be a
> common way removing keys (if card/token support this).

I never understood why is it like this. Why can't Gnuk behave in this 
regards (when deleting keys) as Achim's "original" OpenPGP Card?

>> Alternatively: I don't know the end-to-end use case for the reset 
>> code.
>> Is it desired for enterprise scenarios where the company provides Gnuk
>> devices to their employee? What I have in mind is: Would it be an 
>> option
>> to change reset code so that it could trigger a factory-reset?
> 
> I don't recommend the reset code for that purpose.  It will be
> considered an easy backdoor to hijack the control of the card.
> 
> 
> In theory, it is possible for a factory to register a public key of
> RSA-2048 into Gnuk Token, so that locked card can be upgraded to new
> firmware (removing all secret).  I thought that this could be an
> alternative to the factory reset, but it would be difficult to manage
> such a key, in practice, under the condition of the code is under GNU
> GPLv3.

I agree. Also we don't want to have the control of user's devices in 
general.

> 
> Please note that we also need to modify GnuPG to support factory-reset
> command for Gnuk Token, it is not supported now.  Well, I will, too.

GnuPG 2.1 supports factory-reset of Achim's OpenPGP Card. Wouldn't you 
use the same mechanism for Gnuk?

Best regards,
Jan

More information about the gnuk-users mailing list