whats the word on PIV? why PIV? why not GPG?

[nimbius]

just got my solo2 a few days ago and i love the new interface. im the envy of the cube farm!
im also wondering...is PIV still disabled in the latest firmware?

I also have other serious questions about the decision to support PIV at all...

• the standard is only used by one country, for a handful of applications like entry into a military facility, or SNAP food assistance programs. the PIV ecosystem is largely defined by a handful of DoD certificate chains and enrollment procedures.

• the standard is rather encumbered, with only one major closed source vendor supporting modifying the PIV objects on a card and only in windows. PIV Enrollment functionality is restricted to proprietary server-side applications in windows and is only supported in Internet Explorer.

• OpenSC can add objects and manipulate them, but its a cryptic effort at best (no vendor standard.) even YK bundles their own PIV editor software for Linux because PIV isnt easy.

• the PIV standard (FIPS 201) requires an expensive and lengthy (years) audit certification process; it isnt just "something you do" in the spirit of open source. for example, when Yubi decided to pursue FIPS it was aligned to a business strategy of pursuing lucrative FFRDC and other federal agencies who were required under NISPOM/SCG/DOD5200 to support MFA.

hoping someone can help improve my understanding of the direction of solo on the PIV effort as GPG seems far more actively developed and continental.

[nickray]

just got my solo2 a few days ago and i love the new interface. im the envy of the cube farm! im also wondering...is PIV still disabled in the latest firmware?

Glad you like it!

Yes, PIV is still unfinished and hence disabled.

• the standard is only used by one country, for a handful of applications like entry into a military facility, or SNAP food assistance programs. the PIV ecosystem is largely defined by a handful of DoD certificate chains and enrollment procedures.
• the standard is rather encumbered, with only one major closed source vendor supporting modifying the PIV objects on a card and only in windows. PIV Enrollment functionality is restricted to proprietary server-side applications in windows and is only supported in Internet Explorer.

PIV is not "encumbered", whatever that means. It's an open standard:

• FIPS-201: https://csrc.nist.gov/publications/detail/fips/201/3/final
• NIST SP 800-73: https://csrc.nist.gov/publications/detail/sp/800-73/4/final
• the ISO 7816-4 standard (which GPG also builds on) is unfortunately from the old ISO era of pay-for-view standards, but you can find most of it in https://cardwerk.com/iso-7816-smart-card-standard/ or via pirate links

There are multiple open source implementations of PIV as a JavaCard applet:

• https://github.com/arekinath/PivApplet
• https://github.com/makinako/OpenFIPS201

• OpenSC can add objects and manipulate them, but its a cryptic effort at best (no vendor standard.) even YK bundles their own PIV editor software for Linux because PIV isnt easy.

I agree this can be improved. Though they're focused on "Yubico PIV", there are https://github.com/go-piv/piv-go in go and https://docs.rs/yubikey in Rust; I believe Tony is interested in supporting our PIV app once it's ready. makinako's project wiki has a description of his approach, Yubico obviously have their own approach.

I'm not the biggest fan of OpenSC; but they are currently trying to implement "secure messaging" according to the PIV standard (OpenSC/OpenSC#2053), which I'd say is a prerequisite for allowing creating/manipulating sensitive objects.

• the PIV standard (FIPS 201) requires an expensive and lengthy (years) audit certification process; it isnt just "something you do" in the spirit of open source. for example, when Yubi decided to pursue FIPS it was aligned to a business strategy of pursuing lucrative FFRDC and other federal agencies who were required under NISPOM/SCG/DOD5200 to support MFA.

I think you're mixing up a few things. FIPS certification (FIPS 140) is indeed an abomination; it's unlikely we will pursue this (makinako is going to try for OpenFIPS201).
On the other hand, FIPS 201 is the high-level goal description for PIV, with the PIV interface (meaning the command/response structure over PCSC/CCID) defined in NIST SP 800-73. It's a relatively small standard, and as linked above, others have implemented it openly before.

hoping someone can help improve my understanding of the direction of solo on the PIV effort as GPG seems far more actively developed and continental.

There are very many reasons why PGP is not a good idea in 2022 (you can Google for the many loud and not so loud voices banging on this point); you may or may not agree, but I am not interested in continuing this part of conversation.

Nitrokey is planning a PGP app; if and when it exists, we'll make it possible to use it on SoloKeys hardware (this interoperability is the main reason we split out Trussed).

Assuming one agrees with "no PGP", looking around the ecosystem there aren't very many candidates: ISO applet (https://github.com/philipWendland/IsoApplet, (https://globalplatform.org/specs-library/iso-framework-v1/) meaning "take PKCS 15 literally and implement it as a smartcard applet", GIDS (https://docs.microsoft.com/en-us/windows-hardware/drivers/smartcard/windows-inbox-smart-card-minidriver, https://github.com/vletoux/GidsApplet) which is the "other" app natively supported by Windows, intended to solve the provisioning problem compared to PIV. But that's about it, and they're both kinda niche.

I think it's more helpful to share why I personally am a PIV "fan" (comparatively, I've spent enough time with it "in anger" too).

• it gives relatively low-level access to hardware-backed crypto primitives (signatures, key agreement). This is in contrast with PGP which has it's own formats which are not used by anyone outside the "GPG ecosystem"
• it's an open standard (as is PGP)
• it has with native support on Windows and partial (existing) support on other platforms and programming languages

Downsides of PIV in my view:

• very limited number of official algorithms (and no plans to change, NIST is more interested in post-quantum than adding, say, Ed25519/X25519)
• no defined standard for "personalisation" (i.e., how is the "administrator" supposed to place the keys and certificates on the device). This leads to Yubico inventing their own way. From what I hear, this omission was on purpose, with the idea that implementing vendors could "compete" on this axis. At minimum, there is the "Global Platform" stuff
• it's of the old smart card world with all that entails, meaning partially non-free standards, crufty approaches to certain operations, old-fashioned + confusing terminology,... This is a bit of a weird world, as PCSC, CCID, ISO 7816, PKCS 11.... to some extent are "open" standards if not ideal ones, which vendors historically have mostly conformed too, even if they added their own "special sauce" on top.

It would be kind of nice to greenfield everything clean and fresh from scratch, but then we're just creating new vendor lock-in. So while I think there might be a more greenfield HSM-style app in the future, doing something that tries to fit in with the existing ecosystem seems more fruitful to start with.

For these downside topics, I'm in conversation with the other two open source implementations linked above, to try and find ways for "open source PIV" to converge on solutions.

Two further remarks:

• if you're mostly interested in signatures, I very much recommend investigating "SSH signatures" (https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.sshsig), which today (if your OpenSSH version is sufficiently recent) allows you to do P256 and Ed25519 signatures using FIDO2 keys. Note that Git has added support for SSH signatures (https://calebhearth.com/sign-git-with-ssh); no FIDO flavor support last I checked but planned I believe.
• for encryption, I'd recommend age (https://age-encryption.org/v1) . Currently there are Go (https://github.com/FiloSottile/age) and Rust (https://github.com/str4d/rage) implementations, which let you use Yubico PIV with P256 via plugins. I'll definitely make sure this works with SoloKeys PIV and both P256 and X25519 "recipients".

[nimbius]

@nickray thanks for the fast and super informative reply. ironically due to a webauthn ctap2 bug in firefox for linux i was unable to reply for a few hours. 😅

I guess 'encumbered' isnt a great word, but in the past FIPS standards behaved more as an edict than anything 'open.' in 2019 i recall the PIV comments in the BRM were restricted to government stakeholders only. NIST apparently now permits RFC on github which is refreshing, so it seems i have quite a bit of catching up to do.

I absolutely agree, 140 is a slog for a company of any size. FIPS201 certification is sometimes called the FICAM, used by companies to make it onto the GSA list, but most people just call it fips 201 cert. Gemalto and others have applied for it (so it cant be that hard right? 😁 ) https://www.idmanagement.gov/fips201/ https://www.idmanagement.gov/approved-products-list-piv/

open piv is a very big challenge, but you definitely seem very well versed in it! I hope someday to see solo2 in the SCIF :)

[BryanJacobs]

I think I missed something in the above discussion because the word "authority" doesn't seem to appear once.

With PIV, the normal modus operandi is that one creates a certificate authority (CA). PIV devices (smart cards) generate private keys, and then the CA signs the corresponding public keys. The signed public keys are installed onto the PIV devices. You configure your systems to trust certificates signed by the CA - you say "allow somebody to log in with username=[certificate common name], but only if their cert is signed by this CA I trust".

How is that use case addressed by another standard? SSH and GPG keys, so far as I know, have no concept of a central authority, so if you have a thousand devices, you need to have a list of a thousand things to trust on every server instead of just one.

I'm also pretty unclear how you would authenticate to an email server (SMTP or IMAP) without a PIV device, because so far as I know those protocols don't support OTPs or U2F, but they do support PKCS11 via the SASL EXTERNAL mechanism. Another use case for PIV is PKINIT - authenticating to a Kerberos 5 KDC. Yet another is a VPN (IPSec or OpenVPN) where the keying material itself comes from the device.

I don't feel the discussion above really does justice to all the existing use cases for PIV. I suspect it's a bit biased towards modern web technologies and forgets about the years and years worth of legacy application out there. I think something like U2F is the future, but PIV (specifically PKCS11) is today.

[nickray]

I'd agree that PKI is useful :) Wouldn't really argue that PIV is the one and only way to implement this though. As an example (not endorsement), https://smallstep.com builds an entire business model around SSH certificates.

[BryanJacobs]

I can't seem to find a way to put an SSH certificate (the signed part, not the unsigned public key) onto a hardware device without using PKCS11. So while it's cool that you can have a central authority sign your SSH keys, you still need a PIV app to have a full-featured solution so far as I can see.

If you do find a way to do an entirely resident SSH certificate without PIV please let me know.

It looks like the general consensus on how you securely store an SSH CA is to use an HSM with PIV, too. So there's kinda that to deal with as well. And on a weird note, SSH certs don't have OCSP, so you can't real-time revoke a certificate (you have to go load a list of revoked keys into the SSH server?) and doesn't seem to have the same level of capability of x.509 in general.

[VA1DER]

Now that NitroKey has the OpenPGP, is there any expectation today this will ever actually make it into Solo2? Has Solo2 been abandoned?

[colemickens]

Hey, I'm not sure what GitHub Discussion etiquette is, but there are two "answered" topics and I'm pretty sure I opened one long ago so I'm reluctant to start a new topic...

... is it safe to assume that with manufacturing underway and a FIDO2-related firmware update coming that PIV support might be back on the roadmap?

(separately, but again don't want to make a new topic, are y'all interested in outside contributions? I'm overly obligated, but I keep coming back once a month and will eventually run out of projects. I of course understand "life" and other obligations, but a timeline or even a rough priority list, or a list of issues that are open to external contributors might be helpful.)

(final note, fwiw, I mostly want PIV since I can't have OpenPGP, not that I love GPG...)