From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: <gentoo-nfp+bounces-2006-garchives=archives.gentoo.org@lists.gentoo.org> Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 4946E138334 for <garchives@archives.gentoo.org>; Sun, 19 Aug 2018 18:57:40 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 4C368E09A8; Sun, 19 Aug 2018 18:57:39 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 01EACE09A8 for <gentoo-nfp@lists.gentoo.org>; Sun, 19 Aug 2018 18:57:38 +0000 (UTC) Received: from localhost (unknown [213.87.133.119]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: bircoph) by smtp.gentoo.org (Postfix) with ESMTPSA id 5BE39340E55 for <gentoo-nfp@lists.gentoo.org>; Sun, 19 Aug 2018 18:57:36 +0000 (UTC) Date: Sun, 19 Aug 2018 21:57:16 +0300 From: Andrew Savchenko <bircoph@gentoo.org> To: gentoo-nfp@lists.gentoo.org Subject: Re: [gentoo-nfp] Developer Crypto Hardware (AGM) Message-Id: <20180819215716.94a4fe2cd1859dcb599f4d09@gentoo.org> In-Reply-To: <20180819184223.GA23587@monkey> References: <20180819184223.GA23587@monkey> X-Mailer: Sylpheed 3.7.0 (GTK+ 2.24.30; i686-pc-linux-gnu) Precedence: bulk List-Post: <mailto:gentoo-nfp@lists.gentoo.org> List-Help: <mailto:gentoo-nfp+help@lists.gentoo.org> List-Unsubscribe: <mailto:gentoo-nfp+unsubscribe@lists.gentoo.org> List-Subscribe: <mailto:gentoo-nfp+subscribe@lists.gentoo.org> List-Id: Gentoo Linux mail <gentoo-nfp.gentoo.org> X-BeenThere: gentoo-nfp@lists.gentoo.org Reply-To: gentoo-nfp@lists.gentoo.org Mime-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="PGP-SHA512"; boundary="Signature=_Sun__19_Aug_2018_21_57_16_+0300_DuxYCgqZ3GHm=LRC" X-Archives-Salt: 757fed60-21bf-4282-8d38-c7567acb4974 X-Archives-Hash: 9b170b33b12c9fddd62b7c0b42c32f6f --Signature=_Sun__19_Aug_2018_21_57_16_+0300_DuxYCgqZ3GHm=LRC Content-Type: text/plain; charset=UTF-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi! On Sun, 19 Aug 2018 14:42:23 -0400 Aaron Bauman wrote: > Gentoo-bug: https://bugs.gentoo.org/659620 >=20 > All, this email will serve as a comparison between the two vendors which > have provided quotes to the Foundation. This does not include Alice's > proposal as U2FZero is currently out of stock in the United States and > does not seem to offer any availability in Asia. Alice did suggest that > we split vendors across geographical markets, but I find this will make > the situation become very difficult to handle. It would also put the > burden on individuals to receive and disperse the tokens and increase > shipping costs, burden the treasurer for reimbursements to be processed, > and possibly cause delays. > =20 > Yubikey: >=20 > Quote received for (150) Yubikey FIPS tokens. >=20 > Unit Price: $44.16 USD > Total: $6,624 USD > Discount: 4% (already available to anyone ordering in bulk) >=20 > Shipping costs can be found at [1] and the lowest cost projections > given. They do not offer any standard costs for shipping and cannot > discount it. >=20 > Open source: Several products are no longer open sourced and tracking > which is/is not can be difficult [4]. > =20 > Nitrokey: > =20 > Quote received based on (150) Nitrokey Pro tokens. >=20 > Unit Price: 27,59 =E2=82=AC ($31.58 USD at the time of this email) > Total: 4,138.50 =E2=82=AC ($4737.06 USD at the time of this email) > Discount: 33% (With sponsorship agreement on gentoo.org) > =20 > All prices are already inclusive of VAT. >=20 > Shipping times can be found here [2]. Shipping costs can be found here > [3]. The most expensive shipping is worldwide starting at 7,40 =E2=82=AC > ($8.47 USD at the the time of this email). >=20 > Nitrokey has also offered several unique options for Gentoo. They will > provide a custom portal which allows each developer to request their > security token. This is done via a Foundation (infra really) provided > list of valid gentoo.org email addresses. Additionally, they will > provide monthly billing of all purchased devices and the Foundation is > not obligated to purchase all (150) tokens. This can be a standing > agreement until the Foundation decides to remove financial support. > =20 > Considering both vendors, we can estimate shipping at the highest cost > in order to best prepare for potential expenses. > =20 > Open source: All products are considered open [4]. 1. Are they open hardware? At the very least chip and board schematics should be available. At best they should be reproducible by third parties.=20 2. How token integrity is protected during shipment? Otherwise all this security enhancement will be marginal at best if not fake, since if device is tampered with physically or on design level, it provides no additional security, only a dangerous false sense of such security enhancement. Best regards, Andrew Savchenko --Signature=_Sun__19_Aug_2018_21_57_16_+0300_DuxYCgqZ3GHm=LRC Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE63ZIHsdeM+1XgNer9lNaM7oe5I0FAlt5vYwACgkQ9lNaM7oe 5I0w/w//ZTKKz8BnbL7ZeYZzInWIQGym1J97B5B06Z2jddxGoJQstTWcUy9vhkBE E3Vv5ol+DLD8sws+0OqORTt+Tch1dtTZ2Gd6Dexogwwk/N/xk/vg/zIZVRajUDZq b0N56K7iVtv9au1KG7lmstoEkUa7mTkkJGzTIHCpYx2pewf/tWuHSm97jpS/Gs/5 YSImr3/S6roQCJsSII6yq+uWntaMKwGd9fLHhx/hsXYI4+VZuZqoJmn0gQ4/NIFs 8a9/uQ9DdYTNw6y3HW0fGBWUhJsngrHUx+M5K5KDRVdI6DwThKPItUkHNurFUSro 4U7hJGoptT4cqfuLV59XFlyRJV6YYVQxdUwi55wMQcr8XQp81WBbTql3rwB2iLfY IOeYlW8vttesVj3g9o13FA+goHP8hRjXjMbx8qLrwfKfgQl+o71oVSTLZaftvSFD Na1Tw76AM/H257Ov9AAfrRd5A26io3xeAgFPSc7dPf2o/8ZhDFgYJkxHHuRmXM8Y 6P6HyAUDJ8122+rZ4k9AiC36ItoxqJyndX80UKgt8pyGiW7s49cw/jgPY9/AEzBT GIsBLYYgUEkgTDpvuji/iNppOJzR16FgF2TLZsH4SD/rlBz8eeJyPgeLAQRIjils ZGv2RSHCPMQYrR0Ng/MmTVxxTtELE+2IzYM8mnVirL6XPkjNRlo= =itA1 -----END PGP SIGNATURE----- --Signature=_Sun__19_Aug_2018_21_57_16_+0300_DuxYCgqZ3GHm=LRC--