[Bug 3516] ssh-keygen when creating sk fido keys does not create sufficient data for attestation verification.
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Thu Jan 5 19:05:46 AEDT 2023
https://bugzilla.mindrot.org/show_bug.cgi?id=3516
--- Comment #3 from pedro martelletto <pedro at ambientworks.net> ---
The client data part of the attestation payload can be specified
out-of-band through ssh-keygen -O challenge=,
https://man.openbsd.org/ssh-keygen#challenge.
Regarding different attestation statement formats, intermediate or root
certificates, and other data required to attest a credential: in most
cases involving USB or NFC security keys, the format will be "packed"
or "fido-u2f", and the root CA published by the vendor of the security
key (e.g. https://developers.yubico.com/U2F/yubico-u2f-ca-certs.txt).
What is current in place should be enough to satisfy that scenario.
Going forward, we might want to embed the attestation format and the
entire attestation statement (fido_cred_fmt() and
fido_cred_attstmt_ptr() respectively) in the attestation blob.
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list