Attestation key: Cashed (fixed) does not change on "ykman openpgp reset"

[del-leehopper]

• YubiKey Manager (ykman) version: 5.5.0
• How was it installed?: Windows 64 msi
• Operating system and version: Windows 10 22H2
• YubiKey model and version: 5C NFC
• Bug description summary: Attestation key: Cashed (fixed) does not change on openpgp reset

Steps to reproduce

ykman openpgp keys set-touch sig cached-fixed --admin-pin 12345678 --force
ykman openpgp keys set-touch enc cached-fixed --admin-pin 12345678 --force
ykman openpgp keys set-touch aut cached-fixed --admin-pin 12345678 --force
ykman openpgp keys set-touch att cached-fixed --admin-pin 12345678 --force
ykman openpgp reset --force
ykman openpgp info

Expected result

ykman openpgp info
OpenPGP version: 3.4
Application version: 5.4.3
PIN tries remaining: 3
Reset code tries remaining: 0
Admin PIN tries remaining: 3
Require PIN for signature: Once
KDF enabled: False
Touch policies:
Signature key: Off
Encryption key: Off
Authentication key: Off
Attestation key: Off

Actual results and logs

ykman openpgp info
OpenPGP version: 3.4
Application version: 5.4.3
PIN tries remaining: 3
Reset code tries remaining: 0
Admin PIN tries remaining: 3
Require PIN for signature: Once
KDF enabled: False
Touch policies:
Signature key: Off
Encryption key: Off
Authentication key: Off
Attestation key: Cached (fixed)

Other info

The documentation seems to point to the Attestation Key being reset just as with everything else.

So either the documentation needs to be updated, or there is a bug where this should reset but it doesn't.

If the documentation is wrong, and the Attestation Key does not get reset, then is there a way to reset it if needed?

https://docs.yubico.com/software/yubikey/tools/ykman/OpenPGP_Commands.html#ykman-openpgp-keys-set-touch-options-key-policy
https://docs.yubico.com/software/yubikey/tools/ykman/OpenPGP_Commands.html#ykman-openpgp-reset-options

[dainnilsson]

The behavior is correct, the attestation key is not intended to be deleted when performing factory reset. Which specific part of the documentation do you think implies that the Attestation key would be deleted?

[del-leehopper]

https://docs.yubico.com/software/yubikey/tools/ykman/OpenPGP_Commands.html#ykman-openpgp-keys-set-touch-options-key-policy
Under the "Touch Policies" it says:

Cached-Fixed: "Touch required, cached for 15s after use, cannot be disabled without deleting the private key."

and

Fixed: "Touch required, cannot be disabled without deleting the private key."

This isn't correct. It should add something like "Attestation key can never be changed if set to this policy."

https://docs.yubico.com/software/yubikey/tools/ykman/OpenPGP_Commands.html#ykman-openpgp-reset-options

Currently says:
"Reset OpenPGP application. This action wipes all OpenPGP data, and sets all PINs to their default values."

Should add something like:
"Note: Attestation key and policy will not be wiped."

The reason it's important is I have scripts that run to factory reset all features on a key, and other scripts that setup the key (OpenPGP, PIV, etc.) to our specification. When I run the script to set the Attestation Key to "Cached-Fixed" it throws an error. If I would have known that this doesn't reset, I could have ignored this setting for a re-used YubiKey, however, it isn't clear in the documentation that the Touch Policy is not reset.

Note: I am not suggesting the Attestation Key is reset, but I believe the touch policy should do. Or at least there should be a way to remove this, or renew the attestation key?

[dainnilsson]

Thanks for elaborating!

Fixed: "Touch required, cannot be disabled without deleting the private key."

I would say that this is correct. If you delete the attestation key, then the policy is deleted with it. You'll then be able to import or generate a new private key and set a new policy. Note that you will not be able to replace the key with one that is signed by Yubico, so you'll have to set up your own attestation CA for validation of this.

Should add something like:
"Note: Attestation key and policy will not be wiped."

Yes, this I certainly agree with! I'll forward this to the docs team so that they can make it more clear.

[del-leehopper]

I would say that this is correct. If you delete the attestation key, then the policy is deleted with it. You'll then be able to import or generate a new private key and set a new policy. Note that you will not be able to replace the key with one that is signed by Yubico, so you'll have to set up your own attestation CA for validation of this.

Then can I suggest a tweak to the wording to make it more clear?
"Touch required, cached for 15s after use, cannot be disabled without deleting the associated private key."
"Touch required, cannot be disabled without deleting the associated private key."

It just makes it a bit clearer that you can delete each key individually and its associated policy will be deleted.

Yes, this I certainly agree with! I'll forward this to the docs team so that they can make it more clear.

Great, thank you.

Yes, I understand that if you delete the attestation key, you need to create your own. My point was that it's not clear how you would do this if someone would like to do it (e.g. removing the policy is more important that keeping the Yubico signed attestation key).