Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Single PIN #145

Open
jans23 opened this issue Apr 20, 2023 · 6 comments
Open

Single PIN #145

jans23 opened this issue Apr 20, 2023 · 6 comments
Labels
enhancement New feature or request

Comments

@jans23
Copy link
Member

jans23 commented Apr 20, 2023

OpenPGP Card specification allows to unify User PIN and Admin PIN. This would be a nice feature for Opcard.

@sosthene-nitrokey
Copy link
Collaborator

I don't think this is part of the standard. It is part of gnuk under the name "admin less" mode, which is entered by changing the user pin away from the default before changing the admin pin.

@sosthene-nitrokey
Copy link
Collaborator

I think this is a pretty confusing feature. It is enabled by doing an action that has no indication to be enabling this, and there is no UI to report this.

I think at best a compromise would be to enable it explicitly through nitropy or the nitrokey app instead of doing it implicitly.

@szszszsz
Copy link
Member

Explicit configuration sounds good

@szszszsz
Copy link
Member

Would it be problematic for the client software, if Single PIN would be made the default behavior?

@sosthene-nitrokey
Copy link
Collaborator

No. However it would be very confusing for someone used to other gpg smartcards, and ui would still ask for the both pins when only one is expected.

I do agree that this is a feature that makes a lot of sense though, and I understand why gnuk does it this way: if you change the user pin but keep the admin pin default, you can still reset the user pin using the default admin pin, which can be dangerous for a user that doesn't think about changing the admin pin.

@szszszsz
Copy link
Member

No. However it would be very confusing for someone used to other gpg smartcards, and ui would still ask for the both pins when only one is expected.

That's true, but perhaps indifferent for the low-tech user. The target audience for this solution is a person not used to smart cards, hence it sounds sensible to make it a default. This solution is similar to FIDO2 single PIN.

@szszszsz szszszsz added the enhancement New feature or request label Apr 20, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

3 participants