@benhamill @ckeen I'm having a bit of a hard time parsing this one... could you elaborate?

@cwebber @benhamill@witches.town The idea the researches presented is that you hide smaller logic pieces not part of the schematics in inner layers of the design in such a way that the bigger components on the outer layers oovershadow them so you would not find them using x-rays.

My argument is that purely an open schematics does not give you a sufficient root of trust, you would need to manufacture the board yourself or by someone you trust.

@ckeen @benhamill Hoo! Yeah... hopefully we can get tot he point where bottom -up manufacturing is like, a real feasible thing

Still, I think an open design *helps* in this thing, even if not perfect.

@cwebber @benhamill@witches.town Yes, baby steps help. The sooner we get rid of this secrecy nonsense the better.

@elomatreb @benhamill @ckeen @cwebber It's open source. It supports RSA and ECC with standard curves. Their symmetric algorithm is AES-256-GCM. They are currently working on including post-quantum algorithms.

@cwebber @ckeen @benhamill @elomatreb Unfortunately as a US product they fall under export controls for the physical devices.

@seanl You'll notice that this is also exactly the feature set supported by browsers, making the statement "Military Grade" completely useless...

@elomatreb Agreed it's just marketing-speak. Seems like an odd thing to get hung up on though.

@elomatreb The main things I'm using my #YubiKey for right now are U2F and TOTP over NFC. AFAICT #OnlyKey's U2F support only works with Chrome, which I only use for work, and it doesn't have NFC at all, so while I supported the project and carry one on my keyring, I haven't ended up actually using it since memorizing the small number of #Diceware passphrases I won't use a software password manager for isn't that hard. Hoping it becomes more useful in the future.

@elomatreb The problem is that a physical token with secure PIN entry is best suited for single-factor zero-knowledge authentication. #OnlyKey could theoretically do both password and U2F or TOTP but again only with Chrome/Chromium, and of those only U2F helps with MITM. The browser's built-in password manager may well be the best MITM mitigation aside from U2F.

Sign in to participate in the conversation

Follow friends and discover new ones. Publish anything you want: links, pictures, text, video. This server is run by the main developers of the Mastodon project. Everyone is welcome as long as you follow our code of conduct!