How U2F works

NIIBE Yutaka gniibe at fsij.org
Tue Mar 7 00:52:04 CET 2017 

Werner Koch <wk at gnupg.org> wrote:
> Frankly, I don't really understand the use case for U2F?  Why not using
> plain user certificates which is supported by browser and servers for
> ages?  Is that because the web frameworks don't have good support for
> this?

Scalability, and some (or the) trust model which supports that.

The common practice for (X.509) user certificates is they are issued by
a specific network service provider, and it's useless for another
network service provider.  Users have to install each certificate issued
by each network service provider.  And this is not easy to manage such a
thing.

Ideally, we would have a good method to handle user certificates on
client machines, and have a practice using X.509 user certificates
by..., say, with "root CA"s.

OpenPGP community would say, it could be done reliably in a way of
distributed mechanism by OpenPGP certificates, right now.  Right,
technically, it's true.  The question is: How about in practice?

I think that user certificates (either, by X.509 or by OpenPGP) won't
work well than something like U2F.  I think that here, U2F offers a
"solution", in clever and practical way.


Well, let me explain from another angle.

I live in a small town.  In some cases, I buy things based on mutual
trust, directly or indirectly.  I use cash (or even credit card in some
specific cases), but shop owners are basically trust me.  We use money,
Japanese Yen.  But in a few cases, it is not needed in that form.  For
our own rice (most important food), I don't have to pay in the form of
money.  I live in such a town, intentionally.

I used to live in Tokyo for many years.  Shop onwers trust some credit
card service company and Japan Bank as an issuer of paper money.  They
don't necessarily care about me or anyone, who is buying their
products/services, as long as they can get paid.


Money scales.  Credit card scales.  That's because they don't require
direct mutual trust between a shop and a stranger who visits a shop.
All that shop owner needs is... to trust money.

That's my understanding.


I think that most important factor is not users, here (it is related,
though).

Using U2F might be easier for a network service provider, when other
network service providers have introduced such a feature in their
service already.  For an engineer or an administrator around web
services, it would be just "easy", like installing a few modules,
probably, while preparing X.509 user certificates requires complex and
difficult things.

>From an engineer who eats rice mainly. :-)
--

More information about the Gnupg-users mailing list