Re: [webauthn] SafetyNet Attestation Clarifications from Emil Lundberg via GitHub on 2018-06-25 (public-webauthn@w3.org from June 2018)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Mon, 25 Jun 2018 17:21:10 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-400029472-1529947268-sysbot+gh@w3.org>

@arshadnoor writes in https://github.com/w3c/webauthn/issues/950#issuecomment-399699177:

> > I had always thought that implementers could choose to do verification against the attestation root verified by the scheme OR use MDS (or both).
> 
> Implementers that are conscientious about protecting the RP will have to use both.  Here's why:
> 
> - It is possible that the Authenticator manufacturer did not provide an AIA extension for a variety of reasons: 
> 
>      i) They do not know have a PKI built up correctly to enable this capability; 
>     ii) They assume that because the WebAuthn spec indicates that the AIA extension 
>            makes **id-ad-ocsp** optional, they do not not have to put in the **id-ad-caIssuers** access method
>            (thus making it impossible to programmatically verify the certificate-chain of the attestation certificate; 
>    iii) They have not revoked the attestation certificate of a compromised Authenticator for a variety 
>           of reasons;
> 
> - It is possible that the Authenticator manufacturer:
> 
>     i)  Is not participating in the FIDO MDS capability; 
>    ii)  Has forgotten to notify FIDO MDS about a compromised attestation key-pair or Authenticator;
>   iii)  Has gone out of business;
> 
> I realize neither the FIDO Alliance nor the W3C are responsible for "best practices" in the PKI industry; but to make both the CRLDP and the OCSP Responder URL optional in the attestation-certificate chain is irresponsible.  There is no point in defining a protocol for strong-authentication to eliminate passwords off the internet if we weaken the scaffolding necessary to build trust in the WebAuthn protocols.
> 
> I would **strongly** recommend that that the WebAuthn spec _remove_ the guidance in sections 8.2.1 and 8.3.1 about making the CRLDP and AIA extensions optional, and instead, recommend that Authenticator manufacturers follow "best practices" of the PKI industry in creating and managing their attestation certificate infrastructure.  Or make participation in the FIDO MDS mandatory.  If both capabilities cannot be relied upon by implementers, the FIDO ecosystem will setup RPs and their user-community for some unpleasant surprises.

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/968#issuecomment-400029472 using your GitHub account

Received on Monday, 25 June 2018 17:21:13 UTC