How U2F works

Werner Koch wk at gnupg.org
Mon Mar 6 16:10:44 CET 2017


On Tue, 28 Feb 2017 01:28, glenn at rempe.us said:

> What though is the benefit of using gnupg key as the crypto behind the
> client auth? Seems like you are more exposed by having a portable gpg

It is up to the user where to store the key.  For obvious reasons the
user should use a token (e.g. gnuk or another OpenPGP smartcard, or one
of the other supported X.509 smartcards).

Frankly, I don't really understand the use case for U2F?  Why not using
plain user certificates which is supported by browser and servers for
ages?  Is that because the web frameworks don't have good support for
this?

An old argument against user certificates was the need to purchase a
device or a certificates.  Now U2F requires that you purchase a device
anyway, thus this would void that argument.

With OpenPGP a web service could ask for the user's public key during
enrollment and sign that key with their key.  The login procedure can
then send a challenge, verify it and check that the key has been signed
(OpenPGP key signature) by their key.  That would be a decentralized
system and only the enrollment needs to care about user data and such.
The user could use the very same key (toke) for other services as well
because other service providers can either add their own key signature
or thus the key signature of another service provider.

Well, backup is certainly an issue but one which can be solved - in
particular when the tokens are produced by the service provider.  The
OpenPGP card spec provides secure messaging and a few other feature,
which we once designed for a similar purpose: A service provider was
able to update the user's cards over the net (time-based travel cards).



Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: </pipermail/attachments/20170306/9538b5f1/attachment-0001.sig>


More information about the Gnupg-users mailing list