How U2F works
Gerd v. Egidy
gerd.von.egidy at intra2net.com
Mon Mar 6 23:32:25 CET 2017
> Frankly, I don't really understand the use case for U2F? Why not using
> plain user certificates which is supported by browser and servers for
> ages? Is that because the web frameworks don't have good support for
I think this is because many people consider anything that is called a
"certificate" complicated. Probably because in the past a lot of programs had
poor or buggy support for it and they struggled with it.
So they came up with a new brand name and standard.
But I think they messed this up: when you want an attestated U2F device, there
is no way to backup the private key or clone it to another U2F device. So
whenever you sign up to a new service or website, you must have your primary
and all backup U2F devices (each with it's own key) at hand to register them
with the service.
To have them at hand means I can't store them at a second secure location like
a bank safe. Because I won't go to my bank safe just to be able to order at a
new online store. Completely unpractical unless you restrict the usage just to
a handful of key services. Or it is right back to "what was the name of your
first pet" :(
More information about the Gnupg-users