> Frankly, I don't really understand the use case for U2F? Why not using > plain user certificates which is supported by browser and servers for > ages? Is that because the web frameworks don't have good support for > this?
I think this is because many people consider anything that is called a "certificate" complicated. Probably because in the past a lot of programs had poor or buggy support for it and they struggled with it. So they came up with a new brand name and standard. But I think they messed this up: when you want an attestated U2F device, there is no way to backup the private key or clone it to another U2F device. So whenever you sign up to a new service or website, you must have your primary and all backup U2F devices (each with it's own key) at hand to register them with the service. To have them at hand means I can't store them at a second secure location like a bank safe. Because I won't go to my bank safe just to be able to order at a new online store. Completely unpractical unless you restrict the usage just to a handful of key services. Or it is right back to "what was the name of your first pet" :( Kind regards, Gerd _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
