[xaduha]

> The best way to show that you support open source is to buy the YubiKey NEO instead of the YubiKey 4.

YubiKey NEO isn't a unique product, it's basically a cardreader and a java smartcard all-on-one, but there are plenty of vendors for both, it will probably can be even cheaper in some circumstances/regions.

If you support open source, then give https://github.com/philipWendland/IsoApplet a look instead.

A separate cardreader also means that you can use several smartcards for various things.

[mindslight]

A feature the Yubi has over a smartcard is the button. You can get smartcard readers with pinpads etc, but not that fit into an Expresscard slot.

I was pretty close to getting a Yubi, until I realized that the default version couldn't modify the PGP applet, and didn't find exactly where to order the special "developer edition" either.

At this point it probably makes more sense to find/make a dongle based on an STM32 or the like. The problems with non-hardened hardware discussed in the article are real, but I'd bet the features/innovation enabled by a Free design will outweigh those tradeoffs (eg an audit log, indication of what you're signing/unlocking, actual encrypted key material when the device is "cold").

[xaduha]

You can still have pin protected stuff, both Security Officer and ordinary user can have them, it's a part of PKCS #11 standard probably. Also, we were talking about Neo.

To me it makes more sense not to do crypto yourself, but trust in an established technology, which is a smartcard. They are used everywhere from sim cards to chip-and-pin credit cards.

[mindslight]

Sure, but smartcards have traditionally fulfilled a narrow purpose - creating a notion of non-cloneable identity for some centralized top-down entity. The technology of a hardened mini computer could be applied to many other things, but the closed philosophy of the industry really hinders that. I'd love to get some samples of ST23 and create a board with an appropriate hardware UI for end-user signing, but alas this industry has not seen the light of Kerckhoff's principle.

My problem with PINs is twofold. First, the reader required to use them in a transparent manner does not fit with the form factor of a laptop. Second, they're obviously less secure than a passphrase - relying completely on hardened hardware. If I'm willing to enter a passphrase for every session, why should I be carrying around the key in the clear?

[uola]

It's a unique product in the sense that it has nice form factor and holds additional functionality for more main stream uses. I have a number of these devices, including the external card reader, the usb key card reader and the integrated rubber usb key. Everyone can decide what they want of course, just don't be surprised when they discontinue the NEO.

If you read between the lines of how it went from closed, to very open, to less open, to now not open at all. It seems like they tried open source but failed. They were probably looking for people to integrate it into some e-mail client, chat application or even bitcoin wallet. Now they've gone back to focus on their core customer and using a cheaper more integrated chip.

[xaduha]

Point being that if you support open-source, then Yubico isn't your champion. They failed in sense that it harms their business, not much more than that.

> just don't be surprised when they discontinue the NEO.

I'd say that Yubico isn't a big deal, therefore them discontinuing NEO isn't a big deal either.

[uola]

If you care about crypto you should probably care what happens to the most appealing device out there and if you care about open source you should probably care what happens to companies that makes open sourcing part of their business.

[xaduha]

This is getting nowhere, so let's stop. It's one of those "let's agree to disagree" moments. I certainly don't find yubikey particularly appealing and you already said that they "failed" when it comes to open-source, which I agreed with.

[drazvan]

Feitian has a similar product with known keys and running JavaCard in the form of an USB token - http://www.ftsafe.com/product/epass/eJavaToken . Also much cheaper than the Yubikey, see http://javacardos.com/store/smartcard_eJavaToken.php . No NXP proprietary stuff on it and no NDA required either.

[xaduha]

I did visit their site some weeks ago, but I'm not a fan of bundling a card reader with a card like that. It's better to buy a separate card reader, java cards themselves can go for as low as $2 each, maybe even cheaper.

NXP is just one of many vendors, they sell blank java cards too.

EDIT: $25 shipping fee is very inflexible.

[mpnordland]

I use pgp on my mobile devices too, I would prefer something I could use for both my phone and my computer. The NEO would have filled that role. In my research I haven't found anything like that so far. I would love to be enlightened though if anyone knows about something that can do the same!

[xaduha]

If your phone has NFC interface, then in theory it should be possible to access contactless java smart cards.

https://github.com/doc-rj/smartcard-reader

https://play.google.com/store/apps/details?id=com.inoapp.car...

Other than that there are java cards in microSD format such as these

https://news.ycombinator.com/item?id=9625862

http://www.cardomatic.de/epages/64510967.sf/en_GB/?ObjectPat...

Then there's also a shaky area of pkcs11 proxies.