===================================================================
RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/PROTOCOL.u2f,v
retrieving revision 1.9
retrieving revision 1.10
diff -u -r1.9 -r1.10
--- src/usr.bin/ssh/PROTOCOL.u2f	2019/11/28 05:20:54	1.9
+++ src/usr.bin/ssh/PROTOCOL.u2f	2019/12/10 22:36:08	1.10
@@ -150,17 +150,10 @@
 ------------------
 
 In addition to the message to be signed, the U2F signature operation
-requires a few additional parameters:
+requires the key handle and a few additional parameters. The signature
+is signed over a blob that consists of:
 
-	byte		control bits (e.g. "user presence required" flag)
-	byte[32]	SHA256(message)
 	byte[32]	SHA256(application)
-	byte		key_handle length
-	byte[]		key_handle
-
-This signature is signed over a blob that consists of:
-
-	byte[32]	SHA256(application)
 	byte		flags (including "user present", extensions present)
 	uint32		counter
 	byte[]		extensions
@@ -170,7 +163,7 @@
 
 	byte		flags (including "user present")
 	uint32		counter
-	byte[32]	ecdsa_signature (in X9.62 format).
+	byte[]		ecdsa_signature (in X9.62 format).
 
 For use in the SSH protocol, we wish to avoid server-side parsing of ASN.1
 format data in the pre-authentication attack surface. Therefore, the