How U2F works

NdK ndk.clanbo at
Mon Mar 6 19:23:26 CET 2017

Il 06/03/2017 16:10, Werner Koch ha scritto:

> An old argument against user certificates was the need to purchase a
> device or a certificates.  Now U2F requires that you purchase a device
> anyway, thus this would void that argument.
IIRC one of the selling points of U2F is that it should have been
"anonymous": an attacker that compromises multiple servers shouldn't be
able to determine if two users (on the two servers) are actually the
same person (or even if two users of the same site share a single token).

The only link would be the attestation certificate, but that should only
be checked during enrollment and not stored anywhere (once the user is
enrolled, the attestation cert is useless since only the site-specific
pubkey is needed).

With X509 (or GPG) certs the user's identity gets linked, for the joy of
nosy orgs.

@NIIBE : the sites don't send "proprietary JS" to the browser to access
the token (needed code is public) but the browser must support U2F API.
That's native in Chrome, but Firefox requires a plugin (and I don't know
what's the status of other browsers).

PS: it's not clear what happens when the attestation cert expires: does
the token become useless for enrollment?

PPS: the "attestation CA" could even be the GPG 'C' or 'S' key, that the
server could check via WoT. That does not require 'C' or 'S' key to be
on the token: the attestation certificate can be generated on an offline


More information about the Gnupg-users mailing list