- From: David Chadwick <d.w.chadwick@kent.ac.uk>
- Date: Tue, 24 Nov 2015 17:28:30 +0000
- To: public-credentials@w3.org
On 24/11/2015 15:44, Manu Sporny wrote: > On 11/24/2015 04:55 AM, David Chadwick wrote: >> I have talked to some fido developers and they have said that they >> can give our code access to public keys. So assuming this is true, >> then our code will send this to the issuer in a new message, asking >> for a signed credential to be returned. This is all additional to >> standard FIDO messages > > To be clear, the system you are proposing doesn't work unless the FIDO > devices expose this information to the developer in a widely deployed > way (for example, 75% of the browser market implements it). At present, > no one exposes this information? > > I'm not asserting that it can't be done, just that you've put the > browser manufacturers in the critical path with no planned Working Group > to do what you need and that has typically resulted in delays of > multiple years (which we, the companies that are attempting to deploy > product into the marketplace, don't have). I dont believe this is always the case. The FIDO UAF Spec has the Register command, to which the Reg Assertion is returned, described as follows: 'The following TLV structure is generated by the authenticator during processing of a Register command. It is then delivered to FIDO Server intact, and parsed by the server. The structure embeds a TAG_UAFV1_KRD tag which among other data contains the newly generated UAuth.pub.' So the public key is returned to the FIDO client, which is not part of the browser in UAF. Many different companies produce Fido UAF clients. In the case of U2F, the FIDO client is the browser, so in this case you might be right, although one company that produces U2F devices has said that the public keys can be made available to us. > > That said, I still (personally) want to dive into the work you've done > because I think it's interesting and maybe there is another way to > achieve what you want w/o having such a reliance on the browser vendors > and HSM vendors. I would be glad to have you on board. The more brains the better. Lets discuss this off list regards David > > -- manu >
Received on Tuesday, 24 November 2015 17:28:30 UTC