On 03/24/2016 03:58 AM, Michael Rogers wrote: > On the other hand, if you're using the dongle for that purpose and also > as a second factor for logging into the server, you're sending the > public key over the network so it's no longer secret - the server knows > it at least.
To clarify, the idea here was to have client code that took the place of the u2f server: the actual server would not store or have access to the public key. I did say for usability the server should store the key handle, to make it easy to use a new client device. This idea is horrible, since there is no way for the user to get this key handle from the server using the stronger password entropy that the key handle is needed in order to support. -elijah _______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
