Il 06/03/2017 16:10, Werner Koch ha scritto: > An old argument against user certificates was the need to purchase a > device or a certificates. Now U2F requires that you purchase a device > anyway, thus this would void that argument. IIRC one of the selling points of U2F is that it should have been "anonymous": an attacker that compromises multiple servers shouldn't be able to determine if two users (on the two servers) are actually the same person (or even if two users of the same site share a single token).
The only link would be the attestation certificate, but that should only be checked during enrollment and not stored anywhere (once the user is enrolled, the attestation cert is useless since only the site-specific pubkey is needed). With X509 (or GPG) certs the user's identity gets linked, for the joy of nosy orgs. @NIIBE : the sites don't send "proprietary JS" to the browser to access the token (needed code is public) but the browser must support U2F API. That's native in Chrome, but Firefox requires a plugin (and I don't know what's the status of other browsers). PS: it's not clear what happens when the attestation cert expires: does the token become useless for enrollment? PPS: the "attestation CA" could even be the GPG 'C' or 'S' key, that the server could check via WoT. That does not require 'C' or 'S' key to be on the token: the attestation certificate can be generated on an offline machine. BYtE, Diego. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
