FIDO Flags and some other changes

pedro martelletto pedro at ambientworks.net
Mon Oct 5 18:26:51 AEDT 2020


>   1. Right now, we specify flags like "no-touch-required" and
>   "verify-required" during key generation, but I think this information
>   should not be attached to keys at generation times, especially because
>   servers most accept our keys based on their configurations: for example,
>   one server may have "no-touch-required" on it's "authorized_key" file and
>   another one doesn't. But we cannot change "no-touch-required" on every
>   login since it's permanently attached to its private key. Also, keys
>   created with "verify-required" need to have "verify_required" on the server
>   config or they will be rejected, and if we add "verify-required" to keys
>   which do not have this flag, they'll become useless. My purpose is, these
>   options should be configured on ssh configs, so for each server, we can
>   specify them as it should be(or select a default with "Host *"). What do
>   you think?

Defining these attributes during key generation allows the 
corresponding policy to be enforced at the authenticator level 
(through FIDO 2.1 credential protection, which is the intention), 
and subsequent notarisation by a CA.

Keys created with verify-required do not require verify-required to 
be set on the server. In FIDO2, the entity that ultimately decides 
how a signature takes place is the authenticator. The verifying part 
is of course expected to validate and reject signatures that do not 
satisfy its security requirements, but should accomodate signatures 
that exceed said requirements:

"(...) the Authenticator may perform user verification even if 
not requested to enhance its security offering." [1]

-p.

[1] https://fidoalliance.org/specs/fido2/fido-client-to-authenticator-protocol-v2.1-rd-20191217.html


More information about the openssh-unix-dev mailing list