- From: Johan Verrept <Johan.Verrept@vasco.com>
- Date: Thu, 2 Nov 2017 16:18:33 +0000
- To: Christiaan Brand <cbrand@google.com>, W3C Web Authn WG <public-webauthn@w3.org>
- Message-ID: <1510aa78109f4ceaa2c39abc44ed33fa@srv-be-exch.vasco.com>
Hi Christiaan,
For non-enterprise deployment, you are asking RPs to trust the Privacy CA infrastructure which is unspecified, uncertified and probably even unaudited.
This is the weakest point in the proposal. The Privacy CA security level essentially becomes the security level of all authenticators. An RP can’t trust its attestation of a level 5 authenticator unless the infrastructure that generated this attestation is also certified to an equivalent security level.
Why not make this a service you offer to your Chrome users but allow them to override this at the request of the RP?
J.
From: Christiaan Brand [mailto:cbrand@google.com]
Sent: Wednesday, 1 November, 2017 17:21
To: W3C Web Authn WG <public-webauthn@w3.org>
Subject: Proposal: Chrome privacy CA
Hi folks,
Please see attached a proposal from Google regarding the "Privacy CA" model that Chrome will be adopting. The idea is to open this up for discussion (maybe on the call today, but definitely at TPAC next week).
Please note that this document is a WIP, but I wanted to make sure we give everyone an early glimpse into our thinking so we could refine the proposal as we go along while making sure we have the necessary plumbing in WebAuthN to support this model.
I'll also be cross-posting this to the FIDO2 TWG.
Regards,
Christiaan
Received on Thursday, 2 November 2017 16:18:59 UTC