I was curious about the details of FIDO2/U2F authentication and attestation with hardware tokens / security keys in both the browser's `WebAuthn` as well as `ssh`, so I spent the day working through the protocols and validating each step with `openssl`: trmm.net/U2F/

@th Argh! My OpenSSH is too old still (on my client): OpenSSH_8.1p1, LibreSSL 2.7.3

@th (otherwise would have instantly started using it... no wait, I already use a PGP auth key that's on my YubiKey for that...) :D

Follow

@sindastra I wrote a guide for that, too! trmm.net/Yubikey/#gpg-agent-an
Although I found it very flakey when the token went away and came back, so I stopped using it. The u2f code has been much more reliable so far, and doesn't conflate my PGP identity with my computer identity, so I'm hoping to switch more of my servers to this new code.

@th Honestly, I also have been having issues with smartcards and PGP in general, especially now with the latest Thunderbird which I mentioned here: sindastra.de/p/1583/dear-mozil

@th Oh, it seems your article is quite old, GPGMail isn't free software anymore and thus not an option for me. They ask for quite a lot of money (for what it is), and you need to upgrade (pay again) every year to remain compatible which I can't agree with.

Sign in to participate in the conversation
(void *) social site

(void*)