OpenSSH got U2F support - an idea for GnuPG?
Wiktor Kwapisiewicz
wiktor at metacode.biz
Tue Jan 14 12:05:49 CET 2020
Hi Tobias,
U2F devices sign data in a specified format so it's not possible to sign
any byte array [0], this could conflict with the way GnuPG calculates
what should be signed. If you check out OpenSSH U2F support in detail
you'll see that they defined special key type (ecdsa-sk [1]) that I
guess is used by server to wrap raw bytes in U2F structure before
signature verification.
[0]:
https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fido-u2f-overview-v1.2-ps-20170411.html#authentication-generating-a-signature
[1]: https://duo.com/labs/tech-notes/u2f-key-support-in-openssh
One interesting aspect of U2F is that virtually all tokens on the market
implement "unlimited number of keys" feature by having one
manufacturer-burned secret key and then deriving signing key from that
secret key and key handle (that's key ID that is passed by the application).
To be honest I think if someone has U2F token then there is a high
chance that this also includes OpenPGP applet. If not, the U2F token can
only be used for signing data, not for encryption. One advantage of U2F
tokens though is their relative low price.
Kind regards,
Wiktor
--
https://metacode.biz/@wiktor
More information about the Gnupg-devel
mailing list