Errors and errors :c

Nitrokeys
21

:man_facepalming: I may should have been done better searching…

I just skipped it briefly. But as I’ve understood, when a especially a resident credential is generated, the remote party needs to ensure that the key on the Token is valid. This is done by attestation, and either the vendor of the FIDO2 chip or the manufacturer of the Security Key is in that Attestation Certificate Trust Store.

However, by now it seams to me, that with each new (resident) credential a key is generated…

Web Authentication: An API for accessing Public Key Credentials - Level 2
7. Once the authorization gesture has been completed and user consent has been obtained, generate a new credential object:

7.3. Let credentialSource be a new public key credential source with the fields:

type public-key
privateKey privateKey
rpId rpEntity.id
userHandle userHandle
otherUI Any other information the authenticator chooses to include.


Thanks again @ion.
22

I’m not sure what else you expected.

Technically the expected level of attestation is up to the platform, and the data/cert exchanged you can see in the demo you performed earlier in the thread. Some info on NK3 attestation is discussed in:

23

No expectation, because I did not know what to expect :wink: That’s why I asked “how does it work?”

ID-Austria does not accept Nitrokey 3A NFC

Good to know.