The U2F device protocol is open. However, for effective security, a U2F device has to be built to certain standards – for example, if the Key Handle contains private keys encrypted with some manufacturer specific method, this has to be certified as well implemented, ideally by some ‘certification body’ such as FIDO. In addition, the actual cryptographic engine (secure element) should ideally have some strong security properties.
With these considerations in mind, a relying party needs to able to identify the type of device it is speaking to in a strong way so that it can check against a database to see if that device type has the certification characteristics that particular relying party cares about. So, for example, a financial services site may choose to only accept hardware-backed U2F devices, while some other site may allow U2F devices implemented in software.
Every U2F device has a shared ‘Attestation’ key pair which is present on it – this key is shared across a large number of U2F device units made by the same vendor (this is to prevent individual identifiability of the U2F device). Every public key output by the U2F device during the registration step is signed with the attestation private key.
The intention is that the public keys of all the ‘Attestation’ key pairs used by each vendor will be available in the public domain – this could be implemented by certificates chaining to a root public key or literally as a list. We will work within FIDO to decide the details on how certified vendors can publish their attestation public keys.
When such an infrastructure is available, a particular relying party – say, a bank – might choose to accept only U2F devices from certain vendors which have the appropriate published certifications. To enforce this policy, it can verify that the public key from a U2F device presented by the user is from a vendor it trusts.
So this would allow an organization to limit the U2F devices it will accept, maybe after assessing their certification.
I wonder if there is something standard like this in the PKI world to let the RA/CA to know for sure if the user generated its key pair in a hardware device.