| > That would open you up to being fingerprinted by the server, right? I actually don't think it makes this worse, if the client is coded carefully. At least, it's not clearly worse. SSH public key authentication has a back-and-forth, the client proposes public keys for which it claims it knows the corresponding private key, and the server can choose to say "Yeah, that'll work, prove you know that one". Filippo's fingerprinting trick (whoami.filippo.io) takes all the GitHub public keys and considers whether your SSH client claimed it can authenticate as them. But I believe it doesn't actually test that your claim was true, so it would actually be fooled if your client says it can authenticate as somebody else... So this would be a bit different from that, but again a carefully configured client just won't admit to knowing how to do Security Key authentication to talk to some server it has never heard of, and the server needs to make a reasonable stab at guessing your ID, I think OpenSSH isn't going to allow a remote server to say "Here are 100MB of FIDO IDs, are any of these yours?" The lack of scope restriction isn't ideal, but it feels like a parallel to the way TOFU was more or less enough for SSH in practice whereas the Web really needed the Web PKI. Normal people can probably list the SSH servers they connect to, but you connect to huge numbers of HTTPS servers in normal web use. |