How U2F works

NIIBE Yutaka gniibe at
Mon Mar 6 04:17:55 CET 2017

Thomas Jarosch <thomas.jarosch at> wrote:
> regarding limited resources, the Yubikey people did a fine trick:
> There is no per-website data stored on the Yubikey. So the amount
> of websites you can use a single FIDO U2F key for is unlimited.
> See "Limited storage on device" for details:
> Also I think the attestation key is not enforced by websites,
> so gnuk could just send a bogus / user configurable cert.

Thanks a lot for the information.

Well, I concluded that it is not worth (for me) to try to integrate U2F
feature into Gnuk.  If some free software friendly network service sites
ask me a possibility to use such a method to authenticate their users,
firstly I would propose better method which can respect users' computing
better instead, secondly I would propose developing as a separate
firmware implementation (possibly re-using Gnuk lower-level code) as

The reason is:

    The use cases are so different: The model who/how controls crypto
    computation is so different.  (I mean, Gnuk vs. U2F)

I had been somewhat naive when I saw U2F specification at first.  I was
considering like:

  * While U2F uses X.509 certificate by the attestation key (in the
    specification), it could be OpenPGP certificate.

  * Free Software implementation of U2F would be nice thing.

but, I leaned the reality.

In my opinion, the attestation key is a "key", literary and it is not
wise for network service providers not to check certificates (say, to
avoid MitM attack).

Here is my understanding.

I think that U2F offers network service providers a method of device
authentication and those who can trust the device vendor can use this
method to augment their user authentication.

Here is a picture, explaining the method.

    [ Network service provider: A ]  --------------\ Trust
	      ^                                    |
	      |  protocol for remote use of token  |
	      v                                    v
         [ User: U ]===having a token T1 by [ Device Vendor: D ]
	      ^                                    ^
	      |  protocol for remote use of token  |
	      v                                    |
    [ Network service provider: B ]  --------------/ Trust

Note that U2F itself is not user authentication.  User authentication is
composed at network service provider side by traditional
username+passphrase AND the fact a user has the device (which can be
made sure by U2F device authentication).

In the design, the device is assumed to be shared among different
network service providers.

U2F is the protocol to offer remote crypto computation by network
service providers.

Users are... offering electric power to the device.  Users help network
service providers so that the U2F authentication can work effectively
(say, by providing their fingerprint).

In such a scheme, network service providers don't hesitate to send
nonfree JavaScript to their users, because the purpose is doing remote
use of the vendor's token (I don't say, it's user's token, even if
user is a "holder" is the token).

More information about the Gnupg-users mailing list