- From: Dave Longley <dlongley@digitalbazaar.com>
- Date: Sun, 22 Nov 2015 17:14:28 -0500
- To: David Chadwick <d.w.chadwick@kent.ac.uk>, Anders Rundgren <anders.rundgren.net@gmail.com>, public-credentials@w3.org
On 11/22/2015 12:53 PM, David Chadwick wrote: > > > On 22/11/2015 16:33, Anders Rundgren wrote: >> On 2015-11-22 17:10, David Chadwick wrote: >>> Hi Anders >> >> Hi David, >> >> <snip> >> >>>>> The user sends the consumer SOP public key to the issuer and >>>>> the issuer assigns the attribute to that. >>>> >>>> I think you lost me here, at least with respect to the NASCAR >>>> problem. >>> >>> This is because the user does not go to any third party to >>> authenticate to a site. A new key pair is generated for the site, >>> and this authenticates the user each time he calls. Note however >>> that FIDO does not provide any identity or authz information, >>> just an authn key, which is why we need to add this functionality >>> using issuers. >> >> It is this sending of the consumer public key to issuer by the user >> which I don't quite understand :( > > The user can prove possession of all the public keys his device has > issued. This is how he authenticates. The consumer only knows it is > the user at the other end of the connection because a challenge from > the consumer was signed by the private key corresponding to the > user's consumer public key. > > Now if the consumer receives an attribute signed by an issuer, it > proves that the issuer issued it, but not who it belongs it. By using > the consumer public key as the ID of the user, the consumer now knows > that the user it has authenticated is the righful owner of the > attributes. It may be difficult to do, but is there a danger that the user will present the public key ID for a user other than themselves and receive a credential that is signed for that other person? How does the issuer authenticate the user's ownership of the public key ID? -- Dave Longley CTO Digital Bazaar, Inc.
Received on Sunday, 22 November 2015 22:14:53 UTC