Please let me know If not the correct place, it wasn’t clear where a Webauthn topic is most appropriate.
As the topic suggests, I’m implementing Webauthn, which allows devices that support u2f to authenticate. OnlyKey should work, but most Webauthn implementations do not have a critical piece of information needed to enable supporting the OnlyKey.
If you take a quick look at the Duo labs demo, they have support for Yubico and Solokeys.
This is not because there is some special relationship, business deal, or anything like that.
It is simply because it was easy to find the ‘device attestation certificate’ publicly for the trusted attestation roots that a server will accept authentication requests for;
If I can locate the OnlyKey ‘device attestation certificate’ I can contribute to Duo labs so that Onlykey gets wider adoption by any one who follows Duo labs when they are implementing Webauthn too (like I am). There are a few more locations that can achieve the same via demos like this.
The problem I am facing is OnlyKey do not seem to publicly provide their device attestation certificate, and I am not educated in webauthn enough myself to correctly ‘derive’ the proper device attestation certificate to utilise myself.
Can someone either;
- provide a public link to the device attestation certificate for OnlyKey
- let me know where to request the device attestation certificate from Onlykey if it is not public (strange it isn’t public)
- educate me on why I don’t need a device attestation certificate for OnlyKey (maybe it is not following u2f specification the same as other compliant devices, and can work with webauthn some other way I am not aware of)