Just chiming in here with some comments below. I am an active U2F user and have played around with the server API's and read some of the specs. Just to be clear, not an expert on U2F.
On 2/27/17 3:28 PM, NIIBE Yutaka wrote: > Hello, > > Let me ask a question about U2F. Or, more generally, possibility > to enhance GnuPG for web authentication. > > Anyhow, it would be possible for Gnuk to add U2F support (somehow > limited, because of available resource on board). Also, it would > be possible for scdaemon (or other application) to emulate U2F > protocol (just like Scute does emulate PKCS#11). > > Well, I have two concerns for U2F. > > (1) Atterstation key > > In the document of U2F: > > https://fidoalliance.org/specs/fido-u2f-v1.1-id-20160915/fido-u2f-overview-v1.1-id-20160915.html#verifying-that-a-u2f-device-is-genuine > > It explains about Atterstation key. > > If it were common for services to do this Atterstation key check, > U2F emulation or free U2F implementation will be no real use with > no private key of the vendor. (It reminds me the old days when > Apache couldn't serve https because no certificate authority issued > certificate for servers with Apache.) I wondor if Atterstation key > check is common or not. Well, the attestation key would be checked by the server side process right? And that is optional to check (but perhaps not optional to send). So you probably would need to ask those that are integrating U2F as a server auth method. Sending this seems to be a requirement based on the spec link you sent. Couldn't you get a vendor specific attestation key in any case for GnuK and use the same key across all devices? Yubico describes something about the attestation metadata they use here: https://developers.yubico.com/U2F/Attestation_and_Metadata/ > > > (2) JavaScript > > It seems for me that there are special JavaScript(s) to offer > access API to U2F. I don't quite understand how it works to the > physical device. > > I don't like nonfree JavaScript which may interfere user' control. > > Is it easy for free script (as in freedom) to integrate a script > for U2F access? Any such example scripts or any such services > which do so? I believe that at this point almost all use of U2F is through web browsers that support talking to the U2F hardware API's directly. Only Chrome has full support now, and Firefox and Opera are working on it but are not yet generally available. The web Javascript API's are just for requesting registration of a token or authentication. So you can't use U2F in a browser that does not have support for it no matter what JS you load in your page. Browser support: https://www.yubico.com/support/knowledge-base/categories/articles/browsers-support-u2f/ Yubico Demo Code and JS API https://developers.yubico.com/U2F/Libraries/Using_a_library.html JS Polyfill https://github.com/mastahyeti/u2f-api > > Here, my concern is that if it is all for proprietary world, I am > reluctant to consider seriously about U2F. FIDO U2F is based on an openly published standard but only for you to 'read and analyze'. Seems like you have to become a member of the FIDO alliance to be protected. Its not an Internet RFC. "FIDO's specifications are public and available for anyone to read and analyze. But only FIDO Alliance Members benefit from “the promise” to not assert patent rights against other members’ implementations (see the FIDO Alliance Membership Agreement for details). Anyone may join the FIDO Alliance; we encourage even very small companies with a very low cost to join at the entry level. Members at all levels not only benefit from the mutual non-assert protection, but also participate with FIDO Alliance members, activities and developments; Associates have more limited participation benefits. All are invited to join the FIDO Alliance and participate." https://fidoalliance.org/faqs/ > > > And finally, if web authentication is important, I would like to > use the infrastructure of GnuPG to manage my own crypto computation > and my own private keys. Currently, we can use GnuPG for SSH > authentication by its ssh-agent emulation. I would like to extend > this. Wouldn't making this work require the browser vendors to support some kind of 'pluggable local auth' that gnupg would emulate, and not only support for hardware tokens like Yubikey? I don't know if they support this broader concept or not. https://fidoalliance.org/specifications/overview/ What though is the benefit of using gnupg key as the crypto behind the client auth? Seems like you are more exposed by having a portable gpg key as opposed to a hardware embedded key. U2F makes it so easy to add a backup key, and most implementations let you drop and add keys pretty easily. Just trying to figure out if backing U2F with gpg, if that is what you are proposing, is worth it? > > Any thoughts? Thanks in advance. > Cheers.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
