Hey folks,
I'm working on an authenticator at Ledger implementing both U2F and CTAP2.
I've noticed that when I'm trying to authenticate on a website (through Chrome) using U2F, while not being already registed, I receive this APDU:
0001030000004042424242424242424242424242424242424242424242424242424242424242424141414141414141414141414141414141414141414141414141414141414141
...which is a register request, with the application parameter being 32 * 0x41 and the challenge 32 * 0x42.
I've tried and searched for an explanation to that behavior, and found traces of such buffer
on Chromium sources or
Apple WebCore sources (look for a
kBogusAppParam). For what I understand, this is a workaround to check the user presence, but I fail to find additional doc or explanation on that.
Does anyone know this behavior, is it a kinda de facto standard ? Could you explain me what's its ultimate goal?
Thanks!
Les informations contenues dans ce message électronique ainsi que celles contenues dans les documents attachés sont strictement confidentielles et sont destinées à l'usage exclusif du (des) destinataire(s) nommé(s).
Toute divulgation, distribution ou reproduction, même partielle, en est strictement interdite sauf autorisation écrite et expresse de l’émetteur.
Si vous recevez ce message par erreur, veuillez le notifier immédiatement à son émetteur par retour, et le détruire ainsi que tous les documents qui y sont attachés.
The information contained in this email and in any document enclosed is strictly confidential and is intended solely for the use of the individual or entity to which it is addressed.
Partial or total disclosure, distribution or reproduction of its contents is strictly prohibited unless expressly approved in writing by the sender.
If you have received this communication in error, please notify us immediately by responding to this email, and then delete the message and its attached files from your system.