GravePapayaMar 6

@pleasantmemory @idkrn

Depending on how the system as a whole is designed, which I don't have details on, the concern I have with storing the keys on disk on a build server vs on a HSM attached to that server is that while compromising the build machine lets you make a build in either case. In the no HSM scenario you can run exfiltrate the key much more easily and then have a better shot at hiding the compromise.

Assuming that HSMs are perfect and nothing will ever go wrong is a bad idea, but if you assume they make compromise harder or more expensive then they still add security.

I don't find a lack of updatable firmware to be a particular issue on a device inexpensive enough to replace, especially when that replacement also means key rotation. Replacement isn't cheap, but it's also not that bad at least for a corporate environment.

Show threadidkrnMar 6
@gravepapaya not having updates is awful. It also encourages the OEM not disclosing the issue
Show threadFazal MajidMar 6

@idkrn @gravepapaya why? They get to sell new keys…

The last one, caused by bugs in an Infineon library, my former employer considered it low risk and did not replace the Yubikeys. I replaced my personal ones, despite not being a trillion-dollar company.

Show threadidkrn
@fazalmajid 1. They've done refunds before
2. Users aren't not going to be happy about buying new keys when other keys allow for free updates
Mar 7 at 1:08amWeb
Show threadidkrnMar 7
@fazalmajid also, reenrolling your new keys for all of your accounts or whatever is terrible UX and users will notice