W3C home > Mailing lists > Public > public-credentials@w3.org > November 2015

Re: Solutions to the NASCAR problem?

From: David Chadwick <d.w.chadwick@kent.ac.uk>
Date: Tue, 24 Nov 2015 17:28:30 +0000
To: public-credentials@w3.org
Message-ID: <56549E3E.60301@kent.ac.uk>


On 24/11/2015 15:44, Manu Sporny wrote:
> On 11/24/2015 04:55 AM, David Chadwick wrote:
>> I have talked to some fido developers and they have said that they 
>> can give our code access to public keys. So assuming this is true, 
>> then our code will send this to the issuer in a new message, asking 
>> for a signed credential to be returned. This is all additional to 
>> standard FIDO messages
> 
> To be clear, the system you are proposing doesn't work unless the FIDO
> devices expose this information to the developer in a widely deployed
> way (for example, 75% of the browser market implements it). At present,
> no one exposes this information?
> 
> I'm not asserting that it can't be done, just that you've put the
> browser manufacturers in the critical path with no planned Working Group
> to do what you need and that has typically resulted in delays of
> multiple years (which we, the companies that are attempting to deploy
> product into the marketplace, don't have).

I dont believe this is always the case. The FIDO UAF Spec has the
Register command, to which the Reg Assertion is returned, described as
follows:

'The following TLV structure is generated by the authenticator during
processing of a Register command. It is then delivered to FIDO Server
intact, and parsed by the server. The structure embeds a TAG_UAFV1_KRD
tag which among other data contains the newly generated UAuth.pub.'

So the public key is returned to the FIDO client, which is not part of
the browser in UAF. Many different companies produce Fido UAF clients.

In the case of U2F, the FIDO client is the browser, so in this case you
might be right, although one company that produces U2F devices has said
that the public keys can be made available to us.

> 
> That said, I still (personally) want to dive into the work you've done
> because I think it's interesting and maybe there is another way to
> achieve what you want w/o having such a reliance on the browser vendors
> and HSM vendors.

I would be glad to have you on board. The more brains the better. Lets
discuss this off list

regards

David

> 
> -- manu
> 
Received on Tuesday, 24 November 2015 17:28:30 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 11 July 2018 21:19:26 UTC