From 0e7dabeeeb535ff5dc2e52f8ce443f00812dc508 Mon Sep 17 00:00:00 2001
From: Amolith <amolith@secluded.site>
Date: Wed, 26 Aug 2020 23:42:53 -0400
Subject: [PATCH 1/3] change defaults and add info to #Require touch

As mentioned in #197, the previous behaviour would require users to
touch their key any time an authentication, signing, or encryption
operation was performed. In some situations, this behaviour would be
undesirable and the only way to revert it would be fully resetting the
key and starting from scratch. Rather than using `fixed`, this commit
simply turns the feature `on` so the user can change it later if they
wish.

Additionally, a note about the other policies was included so users can
decide for themselves which fits their situation better.
---
 README.md | 38 +++++++++++++++++++++++++++++++++++---
 1 file changed, 35 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 915789b..dab25fb 100644
--- a/README.md
+++ b/README.md
@@ -2285,21 +2285,53 @@ To require a touch for each key operation, install [YubiKey Manager](https://dev
 Authentication:
 
 ```console
-$ ykman openpgp set-touch aut fixed
+$ ykman openpgp set-touch aut on
 ```
 
 Signing:
 
 ```console
-$ ykman openpgp set-touch sig fixed
+$ ykman openpgp set-touch sig on
 ```
 
 Encryption:
 
 ```console
-$ ykman openpgp set-touch enc fixed
+$ ykman openpgp set-touch enc on
 ```
 
+Depending on how the YubiKey is going to be used, you may want to look at the policy options for each of these and adjust the above commands accordingly. They can be viewed with the following command:
+
+```
+$ ykman openpgp set-touch -h
+Usage: ykman openpgp set-touch [OPTIONS] KEY POLICY
+
+  Set touch policy for OpenPGP keys.
+
+  KEY     Key slot to set (sig, enc, aut or att).
+  POLICY  Touch policy to set (on, off, fixed, cached or cached-fixed).
+
+  The touch policy is used to require user interaction for all operations using the private key on the YubiKey. The touch policy is set indivdually for each key slot. To see the current touch policy, run
+
+      $ ykman openpgp info
+
+  Touch policies:
+
+  Off (default)   No touch required
+  On              Touch required
+  Fixed           Touch required, can't be disabled without a full reset
+  Cached          Touch required, cached for 15s after use
+  Cached-Fixed    Touch required, cached for 15s after use, can't be disabled
+                  without a full reset
+
+Options:
+  -a, --admin-pin TEXT  Admin PIN for OpenPGP.
+  -f, --force           Confirm the action without prompting.
+  -h, --help            Show this message and exit.
+```
+
+If the YubiKey is going to be used within an email client that opens and verifies encrypted mail, `Cached` or `Cached-Fixed` may be desirable.
+
 YubiKey will blink when it is waiting for a touch. On Linux you can also use [yubikey-touch-detector](https://github.com/maximbaz/yubikey-touch-detector) to have an indicator or notification that YubiKey is waiting for a touch.
 
 # Email

From 767b84eb3b78e17ecd8829d2e5cf99f9024995f1 Mon Sep 17 00:00:00 2001
From: Mirko Vogt <mirko-dev@nanl.de>
Date: Sat, 29 Aug 2020 16:15:36 +0000
Subject: [PATCH 2/3] Add option to retrieve additionaly entropy from YubiKey
 itself

---
 README.md | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/README.md b/README.md
index 915789b..e3df4c8 100644
--- a/README.md
+++ b/README.md
@@ -320,6 +320,18 @@ $ cat /proc/sys/kernel/random/entropy_avail
 
 Most operating systems use software-based pseudorandom number generators. A hardware random number generator like [OneRNG](https://onerng.info/onerng/) will [increase the speed](https://lwn.net/Articles/648550/) of entropy generation and possibly the quality.
 
+From YubiKey firmware version 5.2.3 onwards - which introduces "Enhancements to OpenPGP 3.4 Support" - we can gather additional entropy from the YubiKey itself via the SmartCard interface.
+
+## YubiKey
+
+To feed the system's PRNG with entropy generated by the YubiKey itself, issue:
+```console 
+$ echo "SCD RANDOM 512" | gpg-connect-agent | sudo tee /dev/random | hexdump -C
+```
+This will seed the Linux kernel's PRNG with additional 512 bytes retrieved from the YubiKey.
+
+## OneRNG
+
 Install and configure OneRNG software:
 
 ```console
@@ -2447,3 +2459,4 @@ Admin PIN:   12345678
 * https://www.void.gr/kargig/blog/2013/12/02/creating-a-new-gpg-key-with-subkeys/
 * https://mlohr.com/gpg-agent-forwarding/
 * https://www.ingby.com/?p=293
+* https://support.yubico.com/support/solutions/articles/15000027139-yubikey-5-2-3-enhancements-to-openpgp-3-4-support

From 1698736906dfd952158ba7b00c66c1f0c0bcf10d Mon Sep 17 00:00:00 2001
From: drduh <github@duh.to>
Date: Sun, 30 Aug 2020 21:06:04 +0000
Subject: [PATCH 3/3] Create FUNDING.yml

---
 .github/FUNDING.yml | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 .github/FUNDING.yml

diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml
new file mode 100644
index 0000000..92cbba9
--- /dev/null
+++ b/.github/FUNDING.yml
@@ -0,0 +1 @@
+github: [drduh]