[Bug 3516] ssh-keygen when creating sk fido keys does not create sufficient data for attestation verification.

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Thu Jan 5 19:05:46 AEDT 2023


https://bugzilla.mindrot.org/show_bug.cgi?id=3516

--- Comment #3 from pedro martelletto <pedro at ambientworks.net> ---
The client data part of the attestation payload can be specified
out-of-band through ssh-keygen -O challenge=,
https://man.openbsd.org/ssh-keygen#challenge.

Regarding different attestation statement formats, intermediate or root
certificates, and other data required to attest a credential: in most
cases involving USB or NFC security keys, the format will be "packed"
or "fido-u2f", and the root CA published by the vendor of the security
key (e.g. https://developers.yubico.com/U2F/yubico-u2f-ca-certs.txt).
What is current in place should be enough to satisfy that scenario.

Going forward, we might want to embed the attestation format and the
entire attestation statement (fido_cred_fmt() and
fido_cred_attstmt_ptr() respectively) in the attestation blob.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list