[WebAuthn] Added article to clarify about Vendor CA

Dieser Commit ist enthalten in:
Niklas Meyer 2022-01-20 15:57:35 +01:00 committet von GitHub
Ursprung c353558af5
Commit 095fe20e34
Es konnte kein GPG-SchlĂĽssel zu dieser Signatur gefunden werden
GPG-SchlĂĽssel-ID: 4AEE18F83AFDEB23

Datei anzeigen

@ -37,6 +37,8 @@ Finally, enter your current account password and, after selecting the `Touch Yub
Congratulations! You can now log in to the mailcow UI using your YubiKey! Congratulations! You can now log in to the mailcow UI using your YubiKey!
---
## WebAuthn (U2F, replacement) ## WebAuthn (U2F, replacement)
> :warning: **Since February 2022 Google Chrome has discarded support for U2F and standardized the use of WebAuthn.<br>** > :warning: **Since February 2022 Google Chrome has discarded support for U2F and standardized the use of WebAuthn.<br>**
> *The WebAuthn (U2F removal) is part of mailcow since 21th January 2022, so if you want to use the Key past February 2022 please consider a update with the `update.sh` script.* > *The WebAuthn (U2F removal) is part of mailcow since 21th January 2022, so if you want to use the Key past February 2022 please consider a update with the `update.sh` script.*
@ -78,6 +80,17 @@ To enable this feature, change the value `WEBAUTHN_ONLY_TRUSTED_VENDORS` in mail
The mailcow will now use the Vendor Certificates located in your mailcow directory under `data/web/inc/lib/WebAuthn/rootCertificates`. The mailcow will now use the Vendor Certificates located in your mailcow directory under `data/web/inc/lib/WebAuthn/rootCertificates`.
### Is it dangerous to keep the Vendor Check disabled?
No, it isn´t!
These vendor certificates are only used to verify original hardware, not to secure the registration process.
As you can read in these articles, the deactivation is not software security related:
- [https://developers.yubico.com/U2F/Attestation_and_Metadata/](https://developers.yubico.com/U2F/Attestation_and_Metadata/)
- [https://medium.com/webauthnworks/webauthn-fido2-demystifying-attestation-and-mds-efc3b3cb3651](https://medium.com/webauthnworks/webauthn-fido2-demystifying-attestation-and-mds-efc3b3cb3651)
- [https://medium.com/webauthnworks/sorting-fido-ctap-webauthn-terminology-7d32067c0b01](https://medium.com/webauthnworks/sorting-fido-ctap-webauthn-terminology-7d32067c0b01)
In the end, however, it is of course your decision to leave this check disabled or enabled.
##### Example: ##### Example:
If you want to limit the official Vendor devices to Apple only you only need the Apple Vendor Certificate inside the `data/web/inc/lib/WebAuthn/rootCertificates`. If you want to limit the official Vendor devices to Apple only you only need the Apple Vendor Certificate inside the `data/web/inc/lib/WebAuthn/rootCertificates`.
After you deleted all other certs you now only can activate WebAuthn 2FA with Apple devices. After you deleted all other certs you now only can activate WebAuthn 2FA with Apple devices.
@ -91,6 +104,8 @@ Just copy the certificate into the `data/web/inc/lib/WebAuthn/rootCertificates`
Now you should be able to register this device as well, even though the verification for the vendor certificates is enabled, since you just added the certificate manually. Now you should be able to register this device as well, even though the verification for the vendor certificates is enabled, since you just added the certificate manually.
---
## TOTP ## TOTP
The best known TFA method mostly used with a smartphone. The best known TFA method mostly used with a smartphone.