YKOATH compatability

[stv0g]

Hi all,

I am currently working on a Golang implementation of the YKOATH protocol: https://github.com/cunicu/go-ykoath

Reading the README of this repo, I got the impression that you are aiming for compatiblity with Yubicos protocol. Is this still the case?

I am facing some issues to select the app via CCID.

See also: cunicu/hawkes#7

[szszszsz]

Hi! We have taken a decision to go our own way, and reuse only a part of the protocol, without compatibility to the specification. Notably the authentication scheme is different afair. This was introduced around the v0.6 release, if I remember correctly. In case you would be interested in making your own module, the versions prior should be compatible. śr., 11 paź 2023, 21:17 użytkownik Steffen Vogel ***@***.***> napisał:

…

Hi all, I am currently working on a Golang implementation of the YKOATH protocol <https://developers.yubico.com/OATH/YKOATH_Protocol.html>: https://github.com/cunicu/go-ykoath Reading the README of this repo, I got the impression that you are aiming for compatiblity with Yubicos protocol. Is this still the case? I am facing some issues to select the app via CCID. See also: cunicu/hawkes#7 <cunicu/hawkes#7> — Reply to this email directly, view it on GitHub <#103>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AEBXW4RHAM6Q5P3BRWVZOP3X63WFFANCNFSM6AAAAAA54PMQVE> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[szszszsz]

You can find more information about the client implementation in the pynitrokey PRs, and in the protocol update/ extension document in the repo: https://github.com/Nitrokey/trussed-secrets-app/blob/main/docs/ctaphid.md https://github.com/Nitrokey/pynitrokey/pulls?q=is%3Apr+is%3Aclosed+secrets śr., 11 paź 2023, 23:05 użytkownik Jarek Węta ***@***.***> napisał:

…

Hi! We have taken a decision to go our own way, and reuse only a part of the protocol, without compatibility to the specification. Notably the authentication scheme is different afair. This was introduced around the v0.6 release, if I remember correctly. In case you would be interested in making your own module, the versions prior should be compatible. śr., 11 paź 2023, 21:17 użytkownik Steffen Vogel ***@***.***> napisał: > Hi all, > > I am currently working on a Golang implementation of the YKOATH protocol > <https://developers.yubico.com/OATH/YKOATH_Protocol.html>: > https://github.com/cunicu/go-ykoath > > Reading the README of this repo, I got the impression that you are aiming > for compatiblity with Yubicos protocol. Is this still the case? > > I am facing some issues to select the app via CCID. > > See also: cunicu/hawkes#7 > <cunicu/hawkes#7> > > — > Reply to this email directly, view it on GitHub > <#103>, or > unsubscribe > <https://github.com/notifications/unsubscribe-auth/AEBXW4RHAM6Q5P3BRWVZOP3X63WFFANCNFSM6AAAAAA54PMQVE> > . > You are receiving this because you are subscribed to this thread.Message > ID: ***@***.***> >

[stv0g]

Thanks @szszszsz for the explanation :)

I am wondering: the protocol description is pretty detailed. I will likely start an client implementation based on it in Go.

Are the APDU instructions somehow handled differently over CTAPHID rather than CCID?
Maybe it would avoid confusions if the protocol description would placed in a separate file?
Or to rename the file and cover both CTAPHID and CCID transports in it?

For my use case I am more interested in CCID..

[robin-nitrokey]

Are the APDU instructions somehow handled differently over CTAPHID rather than CCID?

No. The CTAPHID command payload is interpreted as an APDU and delegated to the CCID implementation, see https://github.com/Nitrokey/trussed-secrets-app/blob/main/src/ctaphid.rs. If you want to use this over CCID, you should just be aware that there can be access conflicts with gnupg. (That’s one of the reasons for adding the CTAPHID interface.)

Or to rename the file and cover both CTAPHID and CCID transports in it?

Good point. We could call it protocol.md and clarify that you can either send the APDUs directly via CCID or wrapped as CTAPHID commands.

[szszszsz]

Happy to help! I think there might be one difference, that is the status word (2 bytes) may be first in the ctaphid response of the secrets app, instead of being last, as it is in the ccid. I can't confirm it at the moment, but this should be clearly visible in the python client's implementation. czw., 12 paź 2023, 11:23 użytkownik Robin Krahl ***@***.***> napisał:

…

Are the APDU instructions somehow handled differently over CTAPHID rather than CCID? No. The CTAPHID command payload is interpreted as an APDU and delegated to the CCID implementation, see https://github.com/Nitrokey/trussed-secrets-app/blob/main/src/ctaphid.rs. If you want to use this over CCID, you should just be aware that there can be access conflicts with gnupg. (That’s one of the reasons for adding the CTAPHID interface.) Or to rename the file and cover both CTAPHID and CCID transports in it? Good point. We could call it protocol.md and clarify that you can either send the APDUs directly via CCID or wrapped as CTAPHID commands. — Reply to this email directly, view it on GitHub <#103 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AEBXW4Q4AFW5MWTIE23JLVLX66ZI7ANCNFSM6AAAAAA54PMQVE> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[stv0g]

Okay, I think that aligns with my observations.

I will report once I have a first version of the Go package ready.