On 2010-10-07 07:25:47 PM, Mike McLean wrote: > On Thu, Oct 7, 2010 at 5:51 PM, Paul Wouters <paul@xxxxxxxxxxxxx> wrote: > > I have one and I've played with it in fedora. There is however an important > > catch. The server and the yubikey share the same AES symmetric key. This means > > that if the yubikey is used for multiple sites by one user, that user is sharing > > is his "private key" over various external sites. > > > > So if fedoraproject would accept it, and the same user uses this yubikey for > > another site, and that other site gets hacked, then fedoraproject could be > > hacked as well. > > > > I guess in a way it is like using the same password, but people might not be > > thinking of that when they have a "device" on them that they use. > > Wow, that's a serious weakness. Are we sure about this? In order for this to happen, the user would have to explicitly take down the generated AES key while it is being written to the key and then submit it to the other site. I don't think this is really something we need to worry about. Thanks, Ricky
Attachment:
pgpsSfVVcVu3Z.pgp
Description: PGP signature
_______________________________________________ infrastructure mailing list infrastructure@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/infrastructure
