Hello list! Recently, there was a request to implement CTAP 2.1 resident credential management to Trezor, a hardware wallet which already supports FIDO2 authentication (full CTAP 2.0). My colleague Andrew[1] raised some points on GitHub and I'd like to check with you what are we missing or whether Andrew is right. Thank you for your help and understanding! Quoting from [1]: It really makes no sense to me why credential management is needed by OpenSSH in the first place. In fact it doesn't even make sense to me why resident credentials are needed by OpenSSH. Firstly, the private key file `id_ed25519_sk` contains primarily the FIDO credential, which is nothing secret and should logically be placed in `id_ed25519_sk.pub` which resides on the remote server. This way FIDO authenticators wouldn't even need to support resident credentials to function with OpenSSH. Secondly, assuming that there is some kind of rational reason not to place the FIDO credential into `id_ed25519_sk.pub`, credential management commands should still not be needed. I see no justifiable reason why to load resident keys from a FIDO authenticator to the SSH client computer, which is what `ssh-add -K` does. The normal way to work with resident credentials is to specify the RP ID `ssh:` in the authentication request to the authenticator. This all works well with CTAP 2.0. [1] https://github.com/trezor/trezor-firmware/issues/877#issuecomment-2573760523 -- Best Regards / S pozdravom, Pavol "Stick" Rusnak Co-Founder, SatoshiLabs _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
