docs: edits to page covering max PIV cert sizes #356
Conversation
| | 5.x FIPS | about 49,890 | 24 certs at 2079 bytes | 16 certs at 3052 bytes | | ||
|
|
||
| Note that that total amount of storage on a YubiKey (for certs, for PUT DATA objects, | ||
| Note that that total amount of storage on a YubiKey (for certs, PUT DATA objects, |
There was a problem hiding this comment.
The (original) text is confusing. The PIV applet storage is 50K (AFAIK), with about 1K(?) occupied by from the factory by the PIV attestation objects. This means available theoretical space is 49K unless the user deletes the attestation cert. Further, the statement: " there will be very little space left for anything else." suggests that there's something else the audience should put on the applet besides certificates. Very strange...
I would move this (shortened) to the opening paragraph. Actual storage should be verified by fw team.
The Yubikey PIV applet can store up to 24 certificates with corresponding private keys. In practice the number of certificates and keys that can be stored is determined by choice of algorithm and key length (e.g. RSA 1024 vs RSA 4096), certificate complexity (e.g. use of OIDs, size attributes), the presence of PIV attestation objects etcetera.
Note: the total storage capacity of the YubiKey PIV applet is X with Y being occupied by the PIV attestation objects.
There was a problem hiding this comment.
Added note about cert sizes in practice: d3bd2ae
There was a problem hiding this comment.
Additional updates regarding total storage space: 38c5d2b
| to store up to 24 certs. No newline at end of file | ||
| there will be very little space left for anything else. | ||
|
|
||
| | YubiKey Version | Maximum Total Cert<br/>Space Available | Maximum Average<br/>Cert Size | Number of Certs<br/>at Maximum Size | |
There was a problem hiding this comment.
Instead of "YubiKey Version", write: "Firmware"
Instead of "Number of Certs", write: "Number of certificates*"
Add "*" at table footer with text:
"*The approximate number of certificates with corresponding private keys"
There was a problem hiding this comment.
Spelled out "certificates" across tables and other page text: 56e0ec2
There was a problem hiding this comment.
Wrote out model and firmware in tables, rearranged as necessary: 485ca63
(model is important because there are differences in total size available between fips and standard keys)
| Although YubiKeys with firmware version 4.x and higher will allow 3052-byte certificates, they will not be able to store 24 certificates of that size due to the key's total certificate space limit. Even if a YubiKey has empty certificate slots available, you cannot fill them once the maximum certificate space has been reached. | ||
|
|
||
| A NEO (pre-4.0), only has four slots, and will be able to hold four certs of the maximum | ||
| However, a YubiKey NEO, which only has four slots, will be able to hold four certs of the maximum |
There was a problem hiding this comment.
NEO is long dead. No need to confuse the audience with it (IMHO).
There was a problem hiding this comment.
I'm really hesitant to remove product information like this. If we want to start scrubbing any mention of NEO keys from the docs, I'd like to get eng and product consensus on it first.
There was a problem hiding this comment.
OK, up to you. I would at least spell out "YubiKey NEO" then, and "certificates" instead of "certs" (feels too colloquial to me).
There was a problem hiding this comment.
Updated product names in both tables: de90d2d
|
|
||
| Although a YubiKey 5.x will allow a 3052-byte cert in one of the slots, it will not be | ||
| able to store 24 certs that big. | ||
| Although YubiKeys with firmware version 4.x and higher will allow 3052-byte certificates, they will not be able to store 24 certificates of that size due to the key's total certificate space limit. Even if a YubiKey has empty certificate slots available, you cannot fill them once the maximum certificate space has been reached. |
There was a problem hiding this comment.
Skip 4.x mention. I don't know if we should fixate on "3052" like this. The paragraph also seems redundant considering the previous statements.
There was a problem hiding this comment.
I think the diff might be confusing—here's what the HTML output looks like:
There was a problem hiding this comment.
What do you mean by "fixate on 3052"? This page just covers max cert size and total cert space available, so the 3052 max byte size is kind of a critical piece of info, especially given the contents of the second table.
There was a problem hiding this comment.
Ok, I realize this is scope creep, but for starters the summary is longer than the article. That does not make any sense. In fact the article is Soo short that it does not need any summary (I would remove it). Now, if you read the summary only then '3052' is a totally out of the blue number. You have to carefully read the table to make sense of the summary, and that is NOT a good approach to a summary. If you really want to keep the summary then I would suggest you put '3052' in some kind of context, e.g. referring to it there as the maximum size of an importable object.
|
|
||
| ## Maximum size for a single certificate | ||
|
|
||
| If you attempt to load a certificate that is larger than the key's maximum allowable certificate size (as indicated in the table below), the YubiKey will reject it, and the SDK will throw an exception. |
There was a problem hiding this comment.
I don't think this is a correct statement. If you want to keep it, I would use "YubiKey's" instead of "key's" (otherwise its confusing since we are talking about certificates and private, public keys). Does this table indicate certificate maximum size or is it "private key + certificate" combined maximum size?
There was a problem hiding this comment.
I don't know about the table data—I wasn't the original writer of this page. I can verify the information with the firmware team if you're not sure it's correct.
Also, this statement was already in the docs, I just relocated it and reworked the sentence a bit.
There was a problem hiding this comment.
Wrote out "YubiKey" where necessary: fefe4c0
There was a problem hiding this comment.
Confirmed with the firmware team that the table data is correct.
|
|
||
| Nonetheless, these are the space limitations for certs in the PIV application on the | ||
| YubiKey. | ||
| It is possible to store up to 24 private key/certificate pairs in the PIV slots for YubiKeys with firmware version 4.x and higher. However, there are limits to the size of each certificate and the total space available for all certificates. |
There was a problem hiding this comment.
I would skip any mention of YK fw. 4 (it was released in 2015 and we cannot reasonably expect customers to enroll certificates on YK 4 ten years later, right?). Maybe something along the lines of:
The Yubikey PIV applet can store up to 24 certificates with corresponding private keys. In practice the number of certificates and keys that can be stored is determined by choice of algorithm and key length (e.g. RSA
1024vs RSA4096), certificate complexity (e.g. use of OIDs, size attributes), the presence of PIV attestation objects etcetera.
There was a problem hiding this comment.
I don't see a reason to remove mention of the firmware version—all we're saying here is that X is true for YubiKeys with firmware Y and above. That doesn't read to me as something that would confuse a developer with 5.x keys.
|
@JMarkstrom I made a couple other changes after discussing these docs with the firmware team: 38c5d2b The PR is now ready for another review. |
JMarkstrom
left a comment
JMarkstrom
left a comment
There was a problem hiding this comment.
Added some comments. Consider them or ignore them as you see fit.
|
Thanks for all the feedback, @JMarkstrom! Final changes have been applied. @DennisDyallo the PR is now ready for your review and sign-off. |
3 participants
Description
Removed inaccurate statements about typical PIV cert sizes, reworked/streamlined chapter.
Addresses RFE-3560.
How has this been tested?
Local docs build.