Sto leggendo questo articolo da Yubico su Secondo fattore universale e OpenID Connect e vedere la descrizione delle chiavi effimeri
Sono confuso su quando viene utilizzata una chiave temporanea e in quali condizioni vengono memorizzate nella cache.
Dal documento Yubico.
Pagina 7:
U2F does have a trust chain similar to the certificate authorities found in traditional PKI, but this is not tied directly to the key pairs issued by the U2F device. Instead, this trust chain is tied the device’s identifier certificates. These device certificates are used alongside the ephemeral keys to identify the device itself (or a batch of devices), allowing knowledgeable RPs to make informed decisions about which device manufacturers they are willing to accept.
Pagina 9
Why would such caching systems be widely used when they clearly subvert a fundamental aspect of the security components? A system that constantly prompts a user for the same PIN again and again is likely to be ignored or rejected by users annoyed at the constant prompting. The use of a credential cache is often considered a reasonable tradeoff. However, the U2F design avoids having to make this tradeoff decision in the first place by explicitly declaring that the ephemeral keys are used to identify the device alone.