| version 1.18, 2020/01/25 23:13:09 |
version 1.19, 2020/01/28 08:01:34 |
|
|
| choose not to include this information in the public key or save it by |
choose not to include this information in the public key or save it by |
| default. |
default. |
| |
|
| Attestation information is very useful however in an organisational |
Attestation information is useful for out-of-band key and certificate |
| context, where it may be used by a CA as part of certificate |
registration worksflows, e.g. proving to a CA that a key is backed |
| issuance. In this case, exposure to the CA of hardware identity is |
by trusted hardware before it will issue a certificate. To support this |
| desirable. To support this case, OpenSSH optionally allows retaining the |
case, OpenSSH optionally allows retaining the attestation information |
| attestation information at the time of key generation. It will take the |
at the time of key generation. It will take the following format: |
| following format: |
|
| |
|
| string "sk-attest-v00" |
string "ssh-sk-attest-v00" |
| uint32 version (1 for U2F, 2 for FIDO2 in future) |
|
| string attestation certificate |
string attestation certificate |
| string enrollment signature |
string enrollment signature |
| |
uint32 reserved flags |
| |
string reserved string |
| |
|
| |
OpenSSH treats the attestation certificate and enrollment signatures as |
| |
opaque objects and does no interpretation of them itself. |
| |
|
| SSH U2F signatures |
SSH U2F signatures |
| ------------------ |
------------------ |
![[BACK]](/icons/back.gif){kind=icon}
Return to PROTOCOL.u2f CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / ssh