My primary use case would be as a GPG smart card. File Encryption/Signing/Email etc.
Secondary use cases could be Laptop / Desktop LUKS Boot or SSH key mgmt.
I would use ACR122U NFC reader/writers with my linux laptop and desktop.
I Would prefer to use an iPhone / linux machine to install applets, but my understanding is that you can’t install applets without an android device.
If I can’t use an iPhone / linux machine, I would buy a used Pixel 6, install GrapheneOS and download the Fidesmo app via the Aurora Store. I would use this phone to install the GPG applet.
My goal would be to set up the Apex Flex as my personal “root of trust” and I would use it as a daily driver GPG Smartcard with an ECC keypair.
Is my goal posible? Am I making any bad assumptions? I’ve been struggling to find/make a “personal root of trust” and am hoping that this will work.
I would love someone to validate these - I’m in a similar boat & mindset. Question 5 especially; I’ve started playing around with SSH Keys in Yubikey as well, but Apex Flex is interesting - as long as the couple threads I saw regarding ECC keypairs were actually user-issues and not application/device limitations.
Edit: Also, while my understanding re: question 7/8 is that it requires android, and Fidesmo - it looks like a lot of their tooling is released open source, but not the app required for writing?
Regarding question #5, I feel somewhat confident there in theory. Like purism has done a good amount of legwork in order to support their Liberm Key. The Liberm Key, to my understanding is just a nice GPG Smart Card on a USB drive. Their code/scripts are mostly focused around enabling GPG Smartcards. I think we could mostly use their excellent work to similarly enable the Apex Flex.
You got it all, tho not completely sure iPhone applet install support.
Maybe wanna consider a backup of some sort for some/all things possible, maybe a yubikey neo nfc or a fidesmo card.
I mean I haven’t looked at it but I’m willing to bet it’s non obfuscated java, so easily decompiled. But then you would probably find that the writing logic id all done on the server and it is basically sending APDUs to the Apex which you’d have to look at then.
This all should fail as you do not have the masterkey fidesmo has, so installing applets locally wont work.
If you have a fidesmo dev acc you can use the fsdm cli tool to install applets from linux.
I would be happy to just stick with a dev account and use the cli tool to install apps. I imagine this means I would not be able to install apps published threw fidesmo‘s App Store though, right?
As for a backup yah. I’ll probably go with a nitro key as a backup.
I am actually quite happy with the NIST curves. Thanks for the work you do! I know people can be unappreciative and wanted to express my thanks here personally.
No prob! I appreciate it. The desire for better isn’t a bad thing… it’s just sometimes the responsibility for making things better rests just a little bit on all of us.
Sorry if I came across aggressive; I was trying to just raise the concern over something I saw as a usability issue.
Sidenote; I didn’t realize all the applets (including the PGP implementation) were opensourced; that is certainly good news, and makes these issues less concerning.
no problem… there isn’t much context offered right now for the apex flex… but yes we try to go OSS as much as possible. I agree other curves would be nice to support, and if we can facilitate publication of updated versions of VivoKey applets on Fidesmo, we will absolutely do so… but our development focus is centered on getting a FIDO2 applet together that has specific optional components, works across platforms, and take that through certification, then get it working with Windows Hello and other services which require a fully certified FIDO2 device and applet before they will consider supporting it.
With SmartPGP, any curves the community can add to the applet code, we will review, compile, and publish.
