X.509 + FIDO2 support on Security Keys

124 views
Skip to first unread message

Arshad Noor

unread,
Aug 13, 2024, 8:07:22 AMAug 13
to FIDO Dev (fido-dev)
Hi,

I'm seeking to learn about Security Key manufacturers' products that
support X.509 and FIDO2 on the same product.

We have tested a couple
(https://docs.strongkey.com/index.php/skfs-v3/mfa-implementations) that
support the 5 authentication patterns we are interested in, but are
seeking to learn about more Security Keys with these features.

FIDO Alliance does not mention additional capabilities in their list of
certified Security Keys, so I would appreciate it if manufacturers who
have such support can let me know the name and/or model number of such
products.

Please feel free to reach out to me directly or respond here.

Thank you.

Arshad Noor
StrongKey

My1

unread,
Aug 16, 2024, 6:22:37 AMAug 16
to Arshad Noor, FIDO Dev (fido-dev)
What do you mean with X509 specifically?

x509 is just a format for certificates. Do you mean like a standard smartcard (usually via PIV/CCID protocols)?

If a Smartcard using the PGP Protocol also works, I have a weird Idea.

One slightly unusual Product would be the Ledger Cryptocoin Wallets, which can act as a smartcard using the PGP/GPG Protocols

I have used it with SSH both in Linux and Windows (putty) in the past.

One big advantage is the display and while I do not remember whether that was windows or linux but it was able to make different SSH-Keys per client, and using your screen you can view what you connect to.

Regards


--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/f9866e5b-3339-4fbd-91e2-750b16a8a084%40strongkey.com.

Chad Spensky

unread,
Aug 16, 2024, 7:43:18 AMAug 16
to My1, Arshad Noor, FIDO Dev (fido-dev)
Allthenticate's app exports self-signed X.509 certificates and can be used for SSH on Linux, Mac, and Windows using BLE, in addition to supporting FIDO2.  Indeed, we use it internally to sign all of our git commits (and push/pull code), unlock our computers, and login to our SSO. 

Happy to discuss in more detail with anyone who is interested. Feel free to reach out directly. 

Arshad Noor

unread,
Aug 16, 2024, 7:50:27 AMAug 16
to My1, FIDO Dev (fido-dev)
Thank you for that information, My1. Yes, I did mean smartcard-like
capability.

I'm not sure if this company is the same one that had a U2F
Authenticator almost a decade ago. I'm not particularly interested in
the crypto-token capabilities, but I will check them out.

However, if you have such a device, I would be curious to know if your
device is able to succeed with the TLS ClientAuth + FIDO2 demo we have
at https://demo.strongkey.com.

You will find the P12 files to test the ClientAuth part of the demo at
https://sourceforge.net/projects/strongkeyfido/files/v4.13.0/clientauth%2Bfido/

The attached picture depicts what our objectives are.

Thanks.

Arshad

On 8/16/24 3:22 AM, My1 wrote:
> What do you mean with X509 specifically?
>
> x509 is just a format for certificates. Do you mean like a standard
> smartcard (usually via PIV/CCID protocols)?
>
> If a Smartcard using the PGP Protocol also works, I have a weird Idea.
>
> One slightly unusual Product would be the Ledger Cryptocoin Wallets,
> which can act as a smartcard using the PGP/GPG Protocols
> https://support.ledger.com/article/115005200649-zd?redirect=false
> <https://support.ledger.com/article/115005200649-zd?redirect=false>
>
> I have used it with SSH both in Linux and Windows (putty) in the past.
>
> One big advantage is the display and while I do not remember whether
> that was windows or linux but it was able to make different SSH-Keys per
> client, and using your screen you can view what you connect to.
>
> Regards
>
>
> Am Di., 13. Aug. 2024 um 14:07 Uhr schrieb Arshad Noor
> <arsha...@strongkey.com <mailto:arsha...@strongkey.com>>:
>
> Hi,
>
> I'm seeking to learn about Security Key manufacturers' products that
> support X.509 and FIDO2 on the same product.
>
> We have tested a couple
> (https://docs.strongkey.com/index.php/skfs-v3/mfa-implementations
> <https://docs.strongkey.com/index.php/skfs-v3/mfa-implementations>)
> that
> support the 5 authentication patterns we are interested in, but are
> seeking to learn about more Security Keys with these features.
>
> FIDO Alliance does not mention additional capabilities in their list of
> certified Security Keys, so I would appreciate it if manufacturers who
> have such support can let me know the name and/or model number of such
> products.
>
> Please feel free to reach out to me directly or respond here.
>
> Thank you.
>
> Arshad Noor
> StrongKey
>
> --
> You received this message because you are subscribed to the Google
> Groups "FIDO Dev (fido-dev)" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to fido-dev+u...@fidoalliance.org
> <mailto:fido-dev%2Bunsu...@fidoalliance.org>.
> To view this discussion on the web visit
> https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/f9866e5b-3339-4fbd-91e2-750b16a8a084%40strongkey.com <https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/f9866e5b-3339-4fbd-91e2-750b16a8a084%40strongkey.com>.
>
TLSCA-FIDO2-Demo-v1.pdf

Arshad Noor

unread,
Aug 16, 2024, 7:57:13 AMAug 16
to Chad Spensky, My1, FIDO Dev (fido-dev)
Thanks for that, Chad.

Does the app import a P12 from a controlled PKI, that can then be used
for the ClientAuth part of the demo I referenced in the response to My1
a few minutes ago?

Arshad

On 8/16/24 4:43 AM, Chad Spensky wrote:
> Allthenticate's app exports self-signed X.509 certificates and can be
> used for SSH on Linux, Mac, and Windows using BLE, in addition to
> supporting FIDO2.  Indeed, we use it internally to sign all of our git
> commits (and push/pull code), unlock our computers, and login to our SSO.
>
> Happy to discuss in more detail with anyone who is interested. Feel free
> to reach out directly.
>
> On Fri, Aug 16, 2024, 5:22 AM My1 <teamhyd...@gmail.com
> <mailto:teamhyd...@gmail.com>> wrote:
>
> What do you mean with X509 specifically?
>
> x509 is just a format for certificates. Do you mean like a standard
> smartcard (usually via PIV/CCID protocols)?
>
> If a Smartcard using the PGP Protocol also works, I have a weird Idea.
>
> One slightly unusual Product would be the Ledger Cryptocoin Wallets,
> which can act as a smartcard using the PGP/GPG Protocols
> https://support.ledger.com/article/115005200649-zd?redirect=false
> <https://support.ledger.com/article/115005200649-zd?redirect=false>
>
> I have used it with SSH both in Linux and Windows (putty) in the past.
>
> One big advantage is the display and while I do not remember whether
> that was windows or linux but it was able to make different SSH-Keys
> per client, and using your screen you can view what you connect to.
>
> Regards
>
>
> Am Di., 13. Aug. 2024 um 14:07 Uhr schrieb Arshad Noor
> <arsha...@strongkey.com <mailto:arsha...@strongkey.com>>:
>
> Hi,
>
> I'm seeking to learn about Security Key manufacturers' products
> that
> support X.509 and FIDO2 on the same product.
>
> We have tested a couple
> (https://docs.strongkey.com/index.php/skfs-v3/mfa-implementations <https://docs.strongkey.com/index.php/skfs-v3/mfa-implementations>) that
> support the 5 authentication patterns we are interested in, but are
> seeking to learn about more Security Keys with these features.
>
> FIDO Alliance does not mention additional capabilities in their
> list of
> certified Security Keys, so I would appreciate it if
> manufacturers who
> have such support can let me know the name and/or model number
> of such
> products.
>
> Please feel free to reach out to me directly or respond here.
>
> Thank you.
>
> Arshad Noor
> StrongKey
>
> --
> You received this message because you are subscribed to the
> Google Groups "FIDO Dev (fido-dev)" group.
> To unsubscribe from this group and stop receiving emails from
> it, send an email to fido-dev+u...@fidoalliance.org
> <mailto:fido-dev%2Bunsu...@fidoalliance.org>.
> To view this discussion on the web visit
> https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/f9866e5b-3339-4fbd-91e2-750b16a8a084%40strongkey.com <https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/f9866e5b-3339-4fbd-91e2-750b16a8a084%40strongkey.com>.
>
> --
> You received this message because you are subscribed to the Google
> Groups "FIDO Dev (fido-dev)" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to fido-dev+u...@fidoalliance.org
> <mailto:fido-dev+u...@fidoalliance.org>.
> To view this discussion on the web visit
> https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CACHSkNpyVcs5%2BRwDtSWGjjsWLtWs691oQ1_fhXzqdWAT8%2BwyZw%40mail.gmail.com <https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CACHSkNpyVcs5%2BRwDtSWGjjsWLtWs691oQ1_fhXzqdWAT8%2BwyZw%40mail.gmail.com?utm_medium=email&utm_source=footer>.
>

My1

unread,
Aug 16, 2024, 8:01:18 AMAug 16
to Arshad Noor, FIDO Dev (fido-dev)
yeah the cryptocoin functionalities also are not really my thing although I see the cryptocoin wallets as potential in the FIDO Space as these are existing devices that can do FIDO2 and have a screen so they could add the txAuth functionality if someone were to actually do that on the server and client side if needed, something I have wanted to see for a long time (and maybe replace the annoying TAN-Apps and whatnot banks use in favor of an actual standard).

I'll try later on

Arshad Noor

unread,
Aug 16, 2024, 3:37:22 PMAug 16
to fido...@fidoalliance.org
For those wondering whether X.509 has any relevance in the FIDO
ecosystem, this post on LI provides some more information.

https://www.linkedin.com/pulse/path-deterring-ransomware-attacks-arshad-noor-vqdjc/

Arshad
Reply all
Reply to author
Forward
0 new messages