version 1.18, 2020/01/25 23:13:09 |
version 1.19, 2020/01/28 08:01:34 |
|
|
choose not to include this information in the public key or save it by |
choose not to include this information in the public key or save it by |
default. |
default. |
|
|
Attestation information is very useful however in an organisational |
Attestation information is useful for out-of-band key and certificate |
context, where it may be used by a CA as part of certificate |
registration worksflows, e.g. proving to a CA that a key is backed |
issuance. In this case, exposure to the CA of hardware identity is |
by trusted hardware before it will issue a certificate. To support this |
desirable. To support this case, OpenSSH optionally allows retaining the |
case, OpenSSH optionally allows retaining the attestation information |
attestation information at the time of key generation. It will take the |
at the time of key generation. It will take the following format: |
following format: |
|
|
|
string "sk-attest-v00" |
string "ssh-sk-attest-v00" |
uint32 version (1 for U2F, 2 for FIDO2 in future) |
|
string attestation certificate |
string attestation certificate |
string enrollment signature |
string enrollment signature |
|
uint32 reserved flags |
|
string reserved string |
|
|
|
OpenSSH treats the attestation certificate and enrollment signatures as |
|
opaque objects and does no interpretation of them itself. |
|
|
SSH U2F signatures |
SSH U2F signatures |
------------------ |
------------------ |