1. Right now, we specify flags like "no-touch-required" and "verify-required" during key generation, but I think this information should not be attached to keys at generation times, especially because servers most accept our keys based on their configurations: for example, one server may have "no-touch-required" on it's "authorized_key" file and another one doesn't. But we cannot change "no-touch-required" on every login since it's permanently attached to its private key. Also, keys created with "verify-required" need to have "verify_required" on the server config or they will be rejected, and if we add "verify-required" to keys which do not have this flag, they'll become useless. My purpose is, these options should be configured on ssh configs, so for each server, we can specify them as it should be(or select a default with "Host *"). What do you think?
Defining these attributes during key generation allows the corresponding policy to be enforced at the authenticator level (through FIDO 2.1 credential protection, which is the intention), and subsequent notarisation by a CA.
Keys created with verify-required do not require verify-required to be set on the server. In FIDO2, the entity that ultimately decides how a signature takes place is the authenticator. The verifying part is of course expected to validate and reject signatures that do not satisfy its security requirements, but should accomodate signatures that exceed said requirements:
"(...) the Authenticator may perform user verification even if not requested to enhance its security offering." [1]
-p. [1] https://fidoalliance.org/specs/fido2/fido-client-to-authenticator-protocol-v2.1-rd-20191217.html _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
