- From: Shane B Weeden <sweeden@au1.ibm.com>
- Date: Thu, 21 Feb 2019 00:20:39 +0000
- To: "Akshay Kumar" <Akshay.Kumar@microsoft.com>
- Cc: "public-webauthn@w3.org" <public-webauthn@w3.org>
- Message-Id: <OF0DCD15C7.4FA38CD9-ON002583A8.0001E3FE-1550708439501@notes.na.collabserv.com>
The reality is different. Some vendors do upgrade. Some even allow you to do it yourself. Others do new manufacturing runs of the same model with different firmware versions although it is not clear what internal rules apply to what may be updated in a firmware version. The lack of consistency or ability to detect this makes it challenging for an RP to always believe in the value of attestation given that even some certified authenticator work this way. Sent from my iPhone > On 21 Feb 2019, at 10:07 am, Akshay Kumar <Akshay.Kumar@microsoft.com> wrote: > > My assumption right now is external authenticators don’t upgrade. Upgrading the firmware needs to be thought through in terms of how securely one can upgrade. Also due to different form factors, mechanisms will be different. RP keeping a list of firmwares, which one is good and which one is not, is messy. And that list needs to be updated regularly by all the RPs. Which is another nightmare. > > From: Shane B Weeden <sweeden@au1.ibm.com> > Sent: Wednesday, February 20, 2019 10:43 AM > To: public-webauthn@w3.org > Subject: WebAuthn and dealing with authenticator firmware updates > > Per posting at: > https://groups.google.com/a/fidoalliance.org/forum/#!topic/fido-dev/vNs52dde7oY > > I'm considering opening a WebAuthn issue for this topic to see if there is a POV amongst webauthn authors on dealing with authenticator firmware version updates. This note is simply to solicit any comments on the list before I do that. > > Thanks, > Shane.. > >
Received on Thursday, 21 February 2019 00:21:06 UTC