Support for sk extension on T2

[ruimarinho]

Hi @maxgoedjen,

Is it possible to generate ecdsa-sk type ssh keys on the T2 chip? (or ed25519-sk in its replacement, but does not look possible yet based on https://github.com/maxgoedjen/secretive/issues/109).

[maxgoedjen]

Basically two parts to this answer: for the curve 25519 part, yeah, #109 is still the latest (I just checked it again recently, and afaict it's still unsupported by the SEP).

The broader "can the SEP (via Secretive) act as a security key" question is a bit more interesting – the short answer is "probably" but it's a wholly different protocol than SSH (one that SSH, as of recently, knows how to talk to, but still a separate protocol) – one that Secretive currently doesn't know how to speak.

Secretive already addresses a lot of the benefits that a sk extension would – strong private credential storage, user verification – and arguably a few more (admittedly I'm not super brushed up on the sk extension to ssh in particular – but if it's anything like browser support, I'm assuming it has some verification around domain names etc). Given that, I'll leave this ticket open for now, but to be perfectly honest it's probably not super likely to happen short term.