W3C home > Mailing lists > Public > public-credentials@w3.org > November 2015

Re: Solutions to the NASCAR problem?

From: David Chadwick <d.w.chadwick@kent.ac.uk>
Date: Sun, 22 Nov 2015 17:53:38 +0000
To: Anders Rundgren <anders.rundgren.net@gmail.com>, public-credentials@w3.org
Message-ID: <56520122.9060205@kent.ac.uk>

On 22/11/2015 16:33, Anders Rundgren wrote:
> On 2015-11-22 17:10, David Chadwick wrote:
>> Hi Anders
> Hi David,
> <snip>
>>>> The user sends the consumer SOP public key to the issuer and the issuer
>>>> assigns the attribute to that.
>>> I think you lost me here, at least with respect to the NASCAR problem.
>> This is because the user does not go to any third party to authenticate
>> to a site. A new key pair is generated for the site, and this
>> authenticates the user each time he calls. Note however that FIDO does
>> not provide any identity or authz information, just an authn key, which
>> is why we need to add this functionality using issuers.
> It is this sending of the consumer public key to issuer by the user which
> I don't quite understand :(

The user can prove possession of all the public keys his device has
issued. This is how he authenticates. The consumer only knows it is the
user at the other end of the connection because a challenge from the
consumer was signed by the private key corresponding to the user's
consumer public key.

Now if the consumer receives an attribute signed by an issuer, it proves
that the issuer issued it, but not who it belongs it. By using the
consumer public key as the ID of the user, the consumer now knows that
the user it has authenticated is the righful owner of the attributes.


> Anders
Received on Sunday, 22 November 2015 17:53:41 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 11 July 2018 21:19:26 UTC