The Nitrokey 3 is out soon (currently available for pre-orders) and contains: * Larger key size support * Various elliptic curves not available in the current Nitrokey * USB-C (which is a nice convenience) The current maximum key size is 2048 bits which is on the boundary / doesn't meet what's recommended for new RSA keys in 2021. I'm personally interested in being able to use ed25519 for signing commits because, right now, my Nitrokey takes 2-3 seconds per commit - particularly painful when rebasing a large set of commits. mgorny made the point that the new curves give a far better security/speed tradeoff than currently available. After discussion in #gentoo-trustees, a few of us were hoping the Foundation could approach Nitrokey and request that, as a substantial customer, we could have a possible pre-order portal. If not, consider this a request to make the new Nitrokeys available to Gentoo developers when they're released.
https://www.nitrokey.com/news/2021/new-nitrokey-3-nfc-usb-c-rust-common-criteria-eal-6
A little correction: our Nitrokeys do support larger keys but every signature takes a few seconds, effectively making them practically impossible to use. RSA2048 can be used but is annoyingly slow, and having EC25519-capable key would be a good thing given it's the only Curve we allow in the GLEP. Given that they have problems procuring the hardware, I think issuing a group order may speed things up compared to individual orders.
looking at one of the '3' keys... Additional functions such as one-time passwords, password manager and OpenPGP smart card may not be implemented at the time of delivery, but will be provided later via firmware updates. So, I'd say we should wait
Usually nitrokey as been constant in their delivery AFAIR
@Matthew where did you find that text ? Looks like they already started to ship the nitrokey 3 """ Status Update, 10/18/2021 The first Nitrokey 3C NFC were produced and shipped. Production and delivery of all pre-orders is expected to take several weeks. All pre-orderers will be informed via email as soon as their Nitrokeys have been shipped. Pre-orderers who will only be served from the next production batch will be informed via email in the next few weeks. """
Looks like nitrokey decided to use a trussed based firmware https://trussed.dev/ https://github.com/Nitrokey/nitrokey-3-firmware
ping
(In reply to Sam James from comment #7) > ping Robin recently chatted with them, they are adding the GPG support in the new key and I think the goal is to touch base with them in 3-6 once that support is ready. Currently the nitrokey3 only supports FIDO; but GPG support is coming. -A
(In reply to Alec Warner from comment #8) > (In reply to Sam James from comment #7) > > ping > > Robin recently chatted with them, they are adding the GPG support in the new > key and I think the goal is to touch base with them in 3-6 once that support > is ready. Currently the nitrokey3 only supports FIDO; but GPG support is > coming. > > -A Sorry, 3-6 *months*. -A
How about now? https://www.nitrokey.com/blog/2022/openpgp-card-alpha-nitrokey-3 An alpha release, that's good enough for Gentoo, right? ;) More seriously, I think they're far along enough for us to at least start this process.
Ping. It's now very much ready. https://www.nitrokey.com/news/2023/milestone-nitrokey-3-achieved-openpgp-card-one-time-passwords-and-usb-c-availability
Should the Council be taking this over?
Removing myself as I got a free YubiKey from work instead. :)
I have emailed the Nitrokey CEO about refreshing this offering. Gentoo would cover - 2 Nitrokeys per developer (pick 3A or 3C) - shipping Developers can add other Nitrokey shop products to the same order at their own cost (somebody once asked me for this, and I feel it helps improve the margins for Nitrokey to continue the arrangement).
(In reply to Robin Johnson from comment #14) > I have emailed the Nitrokey CEO about refreshing this offering. The Nitrokey CEO is looking into renewing, but nothing solid yet to report on.
@Robbat2 thanks for looking into this
There's been no further updates from Nitrokey, but I do want to be ready for them. soap,ulm,dilfridge: Can you confirm you received the samples and there are no blockers you see based on the refreshed hardware itself?
(In reply to Robin Johnson from comment #17) > There's been no further updates from Nitrokey, but I do want to be ready for > them. > > soap,ulm,dilfridge: > Can you confirm you received the samples and there are no blockers you see > based on the refreshed hardware itself? I've received the sample (Nitrokey 3C NFC) on 2024-06-03. Some comments on its mechanical build quality: - Dimensions are 39.6 mm × 19.0 mm × 7.4 mm - The case appears to be the same as for the old Nitrokey Pro and makes a somewhat cheap impression - No protective cap for the plug (the old Nitrokey had one) The 19.0 mm width and 7.4 mm height are larger than the maximum dimensions for a Type-C plug which are 12.35 mm × 6.5 mm (see Universal Serial Bus Type-C Cable and Connector Specification, Release 2.0, August 2019, Figure 3-3, https://www.usb.org/sites/default/files/USB%20Type-C%20Spec%20R2.0%20-%20August%202019.pdf). In practice, this means that also the neighbouring USB-C port of my laptop is obstructed, even for a narrow plug.
If port space is an issue, you could use an adapter to plug it into a USB-A port. Probably better than getting the USB-A model. While all that's not great, I'd still like one. My v2 did come apart after some years, but I do carry it around everywhere. I put some tape around it and it's held together very well since. What's the alternative? We order YubiKeys instead?
(In reply to James Le Cuirot from comment #19) > What's the alternative? We order YubiKeys instead? Yes, that's what was discussed in the last council meeting. 19:47 <@dilfridge> motion: approach yubikey and try to establish a similar deal, yes no abstain 19:47 <@sam_> but hell, what does the freedom matter for a yubikey or nitrokey given you can't flash either? 19:47 * sam_ yes 19:47 * ulm no 19:47 * ajak yes 19:47 * soap yes 19:48 * dilfridge abstain 19:48 * mgorny yes 19:48 <@dilfridge> mattst88: ? 19:48 * ajak doesn't think a "similar deal" should be a prereq to establish a similar gentoo<->developer deal though 19:49 <@dilfridge> anyway, that's 4 yes, 1 no, 1 abstain, 1 missing, motion in all its vagueness carried ... 19:50 * mattst88 yes 19:50 <@mattst88> (sorry)
If you get a YubiKey, a YuCase might be something to consider: https://yu-case.com/ fyi, there is the old YuCase and the new "YuCase B+". I got the old one way back before the new one was available :)
Not going anywhere.
