Sebbene versioni precedenti di YubiKey (ad esempio Neo e Neo-N) usassero un applet Java Open Source per gestire OpenPGP firma, crittografia e autenticazione, non è chiaro dal sito web / documentazione di yubico se questo vale anche per i nuovi YubiKey 4 .
No, Yubikey 4 è non Open Source :
The implementation is not open source, that is correct. We have both internal and external review of our code to ensure that it is secure. It's important to remember that open source code is no guarantee that bugs/vulnerabilities will be detected as the bug you've linked to demonstrates quite well. The bug was inherited from the upstream project which ykneo-openpgp is based on, and was NOT detected by any audit of the source code. It was interaction with the device itself which lead to it's discovery.
We're all for open source, and we try to open source as much of our code as possible when and where it makes sense, but in this case it was determined not to be so. One reason is that on the YubiKey NEO, each applet runs in its own sandbox, isolated from the rest of the system and can be audited/reasoned about on its own. This is not the case on the YubiKey 4, where each part of the system interacts with several others. Another reason that ykneo-openpgp was implemented as an open source project (aside from being able to leverage an existing project) was that it was useful for others, as it can run on a variety of devices. Again, this is not the case for the implementation running on the YubiKey 4.
Anche se i dispositivi più vecchi come Yubikey NEO utilizzavano un'applet Open Source, i nuovi dispositivi Yubikey 4 passavano tranquillamente a un'implementazione proprietaria, a sorgente chiusa.
Leggi altre domande sui tag pgp smartcard opensource openpgp yubikey