Re: FacetID equivalent for WebAuthn? from Dirk Balfanz on 2019-07-23 (public-webauthn@w3.org from July 2019)

From: Dirk Balfanz <balfanz@google.com>
Date: Tue, 23 Jul 2019 09:25:29 -0700
To: John Bradley <jbradley@yubico.com>
Cc: Marius Scurtescu <marius.scurtescu@coinbase.com>, Adam Langley <agl@google.com>, W3C Web Authn WG <public-webauthn@w3.org>
Message-ID: <CADHfa2A+HPdcbraMNo1LP5-G7AwmsgygPZAsYyF_xOMo9t+anw@mail.gmail.com>

Don't we have a FacetID extension defined/in the works for webauthn?

Dirk.


On Tue, Jul 23, 2019 at 8:08 AM John Bradley <jbradley@yubico.com> wrote:

> Jeff and I discussed this yesterday.   We will probably catch up with AGL
> today.
>
> At some point in the future DNS may sort the more general administrative
> boundary issue for browsers.
>
> look at https://datatracker.ietf.org/doc/draft-brotman-rdbd/
>
> In the short term, we probably need to do a more specific WebAuthn
> deligation mechanism.
>
> John B
>
> On Fri, Jul 19, 2019 at 1:45 PM Marius Scurtescu <
> marius.scurtescu@coinbase.com> wrote:
>
>> The iframe solution might be good enough, but that opens other issues I
>> am sure.
>>
>> A CTAP2 only solution is also problematic, because of all the CTAP keys
>> out there.
>>
>> Have fun next week at IETF and thanks for the details.
>>
>>
>> On Thu, Jul 18, 2019 at 6:42 PM John Bradley <jbradley@yubico.com> wrote:
>>
>>> There was an effort to simplify the spec.   FacitID was a victim of
>>> that.  Dirk can fill in the details.
>>>
>>> The payments people are wanting the iframe solution, for 3dsecure and
>>> open banking.
>>>
>>> I think we do need a way to delegate domain A to act as a proxy for
>>> domain B.
>>>
>>> I would prefer to do it in a more granular way than was done in
>>> FacitID.
>>>
>>> Some of us kicked some ideas around at the last Fido plenery.  I think
>>> it could be done in WebAuthn with existing CTAP2 authenticators.
>>>
>>> John B.
>>>
>>> On Thu, Jul 18, 2019, 7:50 PM Marius Scurtescu <
>>> marius.scurtescu@coinbase.com> wrote:
>>>
>>>> Thanks again Adam.
>>>>
>>>> Is this the iframe spec you are referring to:
>>>> https://www.w3.org/TR/webauthn-2/#sctn-iframe-guidance
>>>>
>>>> The situation looks pretty bleak from where I stand. I am surprised
>>>> that this is not coming up as an issue. Was there a concrete reason to stop
>>>> supporting FacetID? Lack of interest?
>>>>
>>>>
>>>> On Thu, Jul 18, 2019 at 3:59 PM Adam Langley <agl@google.com> wrote:
>>>>
>>>>> On Thu, Jul 18, 2019 at 3:08 PM Marius Scurtescu <
>>>>> marius.scurtescu@coinbase.com> wrote:
>>>>>
>>>>>> How is a multi-domain deployment supposed to work with WebAuthn? And
>>>>>> by multi-domain I mean domains that don't match: example1.com and
>>>>>> example2.com.
>>>>>>
>>>>>> One solution that was suggested is to always redirect to the IdP, so
>>>>>> there is not need for multiple domains. That might work for login, but when
>>>>>> WebAuthn is used as a re-authentication challenge then a full page redirect
>>>>>> becomes very difficult to implement, especially for an existing application.
>>>>>>
>>>>>
>>>>> WebAuthn credentials are tied to an RP ID, which is a domain name.
>>>>> There is not support for “groups” of domains being acceptable for a
>>>>> credential.
>>>>>
>>>>> Redirecting (with suitable care) is possible, somewhat similar to
>>>>> OAuth. There is also (currently) unimplemented spec for granting iframes
>>>>> WebAuthn abilities, in which case postMessage can be used. Implementation
>>>>> priorities are set by need and, currently, nobody is making a fuss about
>>>>> the lack of iframe support so it's not on the roadmap.
>>>>>
>>>>>
>>>>> Cheers
>>>>>
>>>>> AGL
>>>>>
>>>>

Received on Tuesday, 23 July 2019 16:26:06 UTC