Install supporting software
sudo apt-add-repository ppa:yubico/stable
sudo apt-get update
sudo apt-get install scdaemon -y
sudo apt-get install python-setuptools python-crypto python-pyscard python-pyside pyside-tools libykpers-1-1 pcscd -y
sudo apt-get install yubioath-desktop yubikey-personalization yubikey-personalization-gui yubikey-manager -y
Insert Yubikey and Generate key
export and backup the public keys, because the Yubikey only stores the private portion of the key
gpg --armor --export $KEYID > mykey.pub
Require touching the Yubikey button to authenticate, sign, or encrypt:
ykman openpgp touch aut on
ykman openpgp touch sig on
ykman openpgp touch enc on
Change the pin
Change yubikey information
Blind adherence to process also drives out creative people and rewards nonproductive bean counters.
From The Responsive Enterprise: Embracing the Hacker Way
To paraphrase something else the article said: Organizational memory needs to be periodically “reset” to keep up with operating in a changing world, else it can become an impediment to growth.
Another comment about process:
Being agile is about communication. The process needs to change with the situation. — Erik Meijer
I recently learned of Chrome’s intent to remove public key pinning, and replace it with the new, draft, Expect-CT HTTP header. Ultimately, it should give us a safer web.
Chris Palmer explains:
To defend against certificate misissuance, web developers should use the Expect-CT header, including its reporting function.
Expect-CT is safer than HPKP due to the flexibility it gives site operators to recover from any configuration errors, and due to the built-in support offered by a number of CAs. Site operators can generally deploy Expect-CT on a domain without needing to take any additional steps when obtaining certificates for the domain. Even if the CT log ecosystem substantially changes during the validity period of the certificate, site operators can provide updated SCTs in the form of OCSP responses (if their CA supports it) or via a TLS extension (if they wish for greater control). The combination of these mitigations substantially reduces the risk of DoS (either accidental or hostile) via Expect-CT deployment. By combining Expect-CT with active monitoring for relevant domains, which a growing number of CAs and third-parties now provide, site operators can proactively detect misissuance in a way that HPKP does not achieve, while also reducing the risk of misconfiguration and avoiding the risk of hostile pinning.