Skip to content

Test nk3 related hotp-verification patches upstream (unpaid by Nitrokey) #1866

New issue
New issue
Closed as not planned
Closed as not planned
Test nk3 related hotp-verification patches upstream (unpaid by Nitrokey)#1866
Labels
Bounty/Donations expectedWork could/should be funded by interested stakeholderrelease cycle - 2025-01-30(originally targeted 2024-11-20)
@tlaurion

Description

@tlaurion
tlaurion
opened on Nov 28, 2024

Focusing on PR content, see PR to follow white rabbit on security/UX/oem issues they solve:

40h of work and counting. Will edit.

2024-12-16: Heads-->Nitrokey work highlighted above still refused to be paid in totality without fighting as of now.
Will have call with @jans23 Tuesday 2024-12-17 after mail exchanged but dismissed, to see if we can arrive to respectful collaboration or not for the future.

In all case, in absence of co-beneficial agreement (mutualism), I will not test Nitrokey code unless it's associated to a PR under Heads from now on since Heads related work should be paid. I'm responsible for Heads, and time must be recognized/valued/paid accordingly Heads partnership should be based on biological concept of mutualism and nothing else. This work, in this issue, should not be confounded with what should be expected to be paid by profit sharing agreement (maintenance and new board porting collaboration related only). If i'm expected to fix Nitrokey stuff, then Nitrokey must pay for the past, present and in the future.

If no mutualism is possible with Nitrokey, at bare minimum commensalism would be expected.
But in no case I will tolerate parasitism from Nitrokey.

Heads usage of Nitrokey based devices started by mutialism with Purism partnering with Heads in 2018 to ease remote attestation through reverse HOTP secret sealing on USB security dongles of their rebranded Nitrokey 1 pro devices, details at https://www.linuxjournal.com/content/tamper-evident-boot-heads. Mutualism could happen again if Nitrokey recognizes their responsibility in making tamper evidence a priority again, but there is not much more of my free time I can invest into this nk3 where absolutely no collaboration from Nitrokey toward Heads (Nitrokey->Heads participation in code/money) and Where Heads invested too much time (Heads->Nitrokey) for this to be considered anything else than parasitism from my perspective at this point.

If not comfortable about those biology principles, make your head reading https://biodifferences.com/difference-between-mutualism-commensalism-and-parasitism.html

@jans23 donations expected otherwise expect less collaboration from me in the future, and future security issues discovered on my side will be associated with a CVE. I learned my lessons, and won't hesitate on going public following ethical disclosure, which i did. This was discussed in chat, in person, you don't seem to understand.

This is me reminding you that the nk3 is not a novelty product and used for security purposes, here under Heads for remote attestation. This remote attestation, through reverse HOTP to a usb security dongle under Heads, always required: authentication, reset and provisioning capabilities, and since forever forwrd plans discussed many times in the past to reduce OEM provisioning time, unattended reset+automated secret provisioning to augment strength of anti-interdiction (both hardware+security dongle in same hipping package) while reducing OEM provisioning costs: reduce time to shipment on OEM side and ease User Re-Ownership frictions while implementing best practices with even diceware passphrases (I shipped this with the Privacy Beast at first shipment back in ~2018, made conferenes about this, and that was what was QubesOS certified.)

If work leading to https://www.nitrokey.com/blog/2024/heads-v25-and-nitrokey-3-firmware-v171-security-update was not compensated in money before (+30h there, didn't count), and as we talked at QubesOS mini-summit 2024 in person, work needs to be paid, otherwise maybe stop selling security promises or pay for security audits not relying on my discoveries that shake trust from the ecosystem and myself into secirity promises, discoveries from my side while testing other things to discover vulnerabilities/bad design/regressions in nk3 over previous security dongles. This impacts myself, Nitrokey, but also partners and the whole ecosystem, resulting in money losses from every support team depending on your security dongles, resulting in issues opened in all partners issue tracking systems, qubesos forum discussions and ping pong games between everyone; meaning downstream/upstream lost time and energies resulting in money loss by being neglectful.

The issues/PR above, and as you can see if clicking on them, needed a lot of involvement (again) ffrom my side, which was not expected/planned. I understand that it was not planned from Nitrokey either, but that is the problem. And work needs to be paid. I never consented to this in this feature freeze, nor what lead to 1.7.1 nk3 firmware when testing improvements on OEM factory reset/Re-Ownership 6 months ago either.

Details of work done here:

This can be tested under #1875 and I won't have time to split it all out, feature freeze discussed was 2024-11-20, and as of 2024-12-11 I'm still waiting for a version bump of hotp-verification to use that commit under Heads.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Bounty/Donations expectedWork could/should be funded by interested stakeholderrelease cycle - 2025-01-30(originally targeted 2024-11-20)

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions