- From: Ackermann Yuriy <ackermann.yuriy@gmail.com>
- Date: Wed, 20 Feb 2019 16:38:03 -0800
- To: Shane B Weeden <sweeden@au1.ibm.com>
- Cc: Akshay Kumar <Akshay.Kumar@microsoft.com>, "public-webauthn@w3.org" <public-webauthn@w3.org>
- Message-ID: <CALRyZMrcRK+AaQf1jrpdDDDExqUN00RmiOpfrYrvs8WfdyP=QQ@mail.gmail.com>
FIDO certified authenticators are not allowed to change FIDO core without recertification, either through the delta or full. So attestation does not loose it value. If you really need highly secure authenticators, you can look towards FIPS140-2 certified ones On Wed, 20 Feb 2019 at 16:21, Shane B Weeden <sweeden@au1.ibm.com> wrote: > The reality is different. Some vendors do upgrade. Some even allow you to > do it yourself. Others do new manufacturing runs of the same model with > different firmware versions although it is not clear what internal rules > apply to what may be updated in a firmware version. > > The lack of consistency or ability to detect this makes it challenging for > an RP to always believe in the value of attestation given that even some > certified authenticator work this way. > > Sent from my iPhone > > On 21 Feb 2019, at 10:07 am, Akshay Kumar <Akshay.Kumar@microsoft.com> > wrote: > > My assumption right now is external authenticators don’t upgrade. > Upgrading the firmware needs to be thought through in terms of how securely > one can upgrade. Also due to different form factors, mechanisms will be > different. RP keeping a list of firmwares, which one is good and which one > is not, is messy. And that list needs to be updated regularly by all the > RPs. Which is another nightmare. > > > > *From:* Shane B Weeden <sweeden@au1.ibm.com> > *Sent:* Wednesday, February 20, 2019 10:43 AM > *To:* public-webauthn@w3.org > *Subject:* WebAuthn and dealing with authenticator firmware updates > > > > Per posting at: > > https://groups.google.com/a/fidoalliance.org/forum/#!topic/fido-dev/vNs52dde7oY > <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Ffidoalliance.org%2Fforum%2F%23!topic%2Ffido-dev%2FvNs52dde7oY&data=02%7C01%7CAkshay.Kumar%40microsoft.com%7C56552f6a07c046848a0f08d69765c29c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C1%7C636862860662164882&sdata=Iq1Z%2B8VLqJ%2FutGNkfERKmZwB8VayGuUlQ3pKVYn%2BN%2Fg%3D&reserved=0> > > I'm considering opening a WebAuthn issue for this topic to see if there is > a POV amongst webauthn authors on dealing with authenticator firmware > version updates. This note is simply to solicit any comments on the list > before I do that. > > Thanks, > Shane.. > > > > -- Yuriy Ackermann FIDO, Identity, Standards skype: ackermann.yuriy github: @herrjemand <https://github.com/herrjemand> twitter: @herrjemand <https://twitter.com/herrjemand> medium: @herrjemand <https://medium.com/@herrjemand>
Received on Thursday, 21 February 2019 00:42:00 UTC