Re: [webauthn] Split RP ops "Registering a new credential" into one with and one without attestation (#1710) from Emil Lundberg via GitHub on 2022-03-29 (public-webauthn@w3.org from March 2022)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Tue, 29 Mar 2022 17:41:55 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1082187565-1648575713-sysbot+gh@w3.org>

Yeah, the critical piece to realize is that all WebAuthn credentials are "trust on first use" (TOFU) keys. Even with attestation, it is indeed possible for a malicious script to replace the public key and attestation statement during registration, and thus have the attacker's key registered instead of the victim's key. We touch on this in [13.4.4. Attestation Limitations](https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#sctn-attestation-limitations) in the Security Considerations section.

What attestation does is provide a way for the authenticator to prove to the RP what _kind_ of authenticator it is. That proof could eliminate the possibility of software-generated malicious keys, but a malicious script could still in theory call out a remote server to generate an attestation statement using a genuine authenticator on the RP's allow list. At best the RP could display a name and/or image of the authenticator as identified by the attestation statement, which could allow attentive users to notice if there's a discrepancy. But even then the attacker's remote server could have an array of authenticators of different brands and models to account for that too. And of course, [self attestation](https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#self-attestation) is always susceptible to tampering since by definition there's no way to link the attestation key to any established root of trust.

So yeah, the registration ceremony is a [leap of faith](https://datatracker.ietf.org/doc/html/rfc4949#page-182), with or without attestation. But assuming one was completed securely, any subsequent authentication ceremonies are highly resistant to tampering since at that point there is an established trust relationship with a particular credential public key. You cannot know with certainty who the public key came from during registration, but you can know with certainty that an authentication signature came from _the same_ key pair as was registered.

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1710#issuecomment-1082187565 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Tuesday, 29 March 2022 17:42:02 UTC