Incomplete attestation data for FIDO2 SKs?

Ian Haken ihaken at
Sat Sep 5 08:03:38 AEST 2020

I was recently looking at verifying the attestation data
(ssh-sk-attest-v00) for a SK key, but I believe the data saved in this
structure is insufficient for completing verification of the attestation.
While the structure has enough information for U2F devices, FIDO2 devices
sign their attestation over a richer "authData" blob [1] (concatenated with
the challenge hash). The authData blob contains data not derivable from the
public/private key, such as a signature counter and the device's AAGUID. As
I understand it, the attestation structure should probably persist the
entire authData blob to enable validation of the attestation. (This is
really only getting into support for verifying "packed" attestation
statements. Figuring out what to extract and persist is likely even more
nuanced for other formats, but I'm not terribly inclined to go there

Is there something I'm missing that would enable verification of the
attestation signature for FIDO2 devices, or is this a correct assessment
that the ssh-sk-attest-v00 file saved from ssh-keygen would not be enough?


More information about the openssh-unix-dev mailing list