https://bugzilla.mindrot.org/show_bug.cgi?id=3516
--- Comment #3 from pedro martelletto <[email protected]> --- The client data part of the attestation payload can be specified out-of-band through ssh-keygen -O challenge=, https://man.openbsd.org/ssh-keygen#challenge. Regarding different attestation statement formats, intermediate or root certificates, and other data required to attest a credential: in most cases involving USB or NFC security keys, the format will be "packed" or "fido-u2f", and the root CA published by the vendor of the security key (e.g. https://developers.yubico.com/U2F/yubico-u2f-ca-certs.txt). What is current in place should be enough to satisfy that scenario. Going forward, we might want to embed the attestation format and the entire attestation statement (fido_cred_fmt() and fido_cred_attstmt_ptr() respectively) in the attestation blob. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. _______________________________________________ openssh-bugs mailing list [email protected] https://lists.mindrot.org/mailman/listinfo/openssh-bugs
