On 2022-08-06 18:28 EDT, Taylor R Campbell wrote: > [bcc tech-crypto@ tech-security@, followups to tech-userlevel@] > > I would like to import the fidocrypt(1) utility into base: > > https://github.com/riastradh/fidocrypt/ > > fidocrypt(1) is a small program that lets you `store' a secret on > U2F/FIDO keys, with a little state on disk that enables you to > register or unregister keys without changing the secret, so that any > one of the registered keys can be used to open the secret.Not sure my personal opinion is all that relevant, these days, for tech-userlevel (or any of those bcc'ed lists), but this definitely sounds like a useful tool to me for the use case of NetBSD as a desktop computer.
I mostly use macOS at home and Windows at work in that "desktop" context these days, so I threw up my hands a few years ago and wrote my own credential manager whose datastore is a USB mass storage device attached to my keychain, and is largely a UI wrapper around a PGP-encrypted file in a specific format. (I prefer USB devices that either have hardware encryption or are formatted with an encrypted file system, but whatever.)
But that's a bunch of home-rolled garbage, whereas I think what you're proposing to add to base is an interface to a standards-compliant (and somewhat-open) device specification. Right?
I guess my follow-up Devil's advocacy question would be: why does this need to be in base, rather than provided via ports?
That is: the NetBSD systems I keep running are local VMs for very specific purposes (eg, home automation), hosted VMs for different purposes (eg, email routing), and physical systems for which the original vendor has discontinued OS support (eg, the Mac Mini that is my stereo).
Why should this be in the base install? -- Gabriel Rosenkoetter (he/him) gr%eclipsed.net@localhost
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature