Hello, Let me ask a question about U2F. Or, more generally, possibility to enhance GnuPG for web authentication.
While I maintain scdaemon of GnuPG and develop Gnuk (an OpenPGPcard implementation), I sometimes am asked about U2F support, these days. (I think that this is due to Yubikey.) IIUC, major use case of U2F is web authentication. It seems for me that it doesn't fit directly to OpenPGPcard use case. Anyhow, it would be possible for Gnuk to add U2F support (somehow limited, because of available resource on board). Also, it would be possible for scdaemon (or other application) to emulate U2F protocol (just like Scute does emulate PKCS#11). Well, I have two concerns for U2F. (1) Atterstation key In the document of U2F: https://fidoalliance.org/specs/fido-u2f-v1.1-id-20160915/fido-u2f-overview-v1.1-id-20160915.html#verifying-that-a-u2f-device-is-genuine It explains about Atterstation key. If it were common for services to do this Atterstation key check, U2F emulation or free U2F implementation will be no real use with no private key of the vendor. (It reminds me the old days when Apache couldn't serve https because no certificate authority issued certificate for servers with Apache.) I wondor if Atterstation key check is common or not. (2) JavaScript It seems for me that there are special JavaScript(s) to offer access API to U2F. I don't quite understand how it works to the physical device. I don't like nonfree JavaScript which may interfere user' control. Is it easy for free script (as in freedom) to integrate a script for U2F access? Any such example scripts or any such services which do so? Here, my concern is that if it is all for proprietary world, I am reluctant to consider seriously about U2F. And finally, if web authentication is important, I would like to use the infrastructure of GnuPG to manage my own crypto computation and my own private keys. Currently, we can use GnuPG for SSH authentication by its ssh-agent emulation. I would like to extend this. Any thoughts? Thanks in advance. -- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
