[Gnuk-users] Admin less mode (opt-out possible)
Jan Suhr | Nitrokey
jan at nitrokey.com
Sat Oct 21 08:56:14 UTC 2017
Hi Niibe,
Am 21.10.2017 um 00:23 schrieb NIIBE Yutaka:
> Alexander Paetzelt | Nitrokey <alex at nitrokey.com> wrote:
>> Is it may possible to disable this feature during compilation (in
>> future)?
>
> Not for Gnuk from here. If you really want to do that, detecting the
> condition where user PIN setting with no admin PIN is possible, so,
> returning an error in that condition can be done by some changes. But,
> I am afraid that it just introduces more confusion.
>
> I think that documentation and education issues should be handled in
> some appropriate place.
I think the only appropriate place would be the "GUI" of GnuPG. I mean
GnuPG should tell or better warn the user if she changes the passphrase
to more than 7 characters. All other places (separate documentation,
README) are most likely be ignored. But how to inform the user if he
doesn't use GnuPG directly, e.g. if he uses Enigmail for instance?
> Well, it would be good if user can examine the status (admin-less or
> not).
The theory of usability (e.g if you take a university class on
usability) tells as one of its main principles, that implicit changes of
behaviour are bad and should be avoided. Consequently, the best solution
would be if GnuPG would ask the user if he wants admin-less mode or not.
This should be independent of how long the passphrase is. I assume you
avoided this because its implementation would be more complex because it
involves GnuPG and perhaps a change of OpenPGP Card specification.
> The admin-less mode has been widely used (by most Gnuk users). That's
In our case I think hardly any of our users uses this mode (knowingly).
> because the main purpose of Gnuk is to minimize attack surface.
>
> When admin PIN is enabled, it means that it doubles a part of surface
> (another three-time attempts are possible).
I would consider 6 attempts to break a 6/8 character long passphrase as
secure. From my perspective the admin-less mode is good because it could
make the usage of Gnuk easier. This holds true as long as it doesn't
cause any unforeseen issues. Currently, because users don't know it, it
causes more trouble to our users than it helps. Consequently a compile
option (e.g. configure --no-admin-less-mode) would help us to prevent
such trouble for our users.
Best regards
Jan
More information about the gnuk-users
mailing list