W3C home > Mailing lists > Public > public-credentials@w3.org > April 2018

Re: Question: WebAuthn announcement -- relation to DIDs?

From: Adam Powers <adam@fidoalliance.org>
Date: Fri, 13 Apr 2018 02:17:46 -0400
Message-ID: <CACu+4cvwvnfV+XHq5g_7nLZT-2i_bPKtOPGcX9sK5W1AeR_K3w@mail.gmail.com>
To: Andrew Hughes <andrewhughes3000@gmail.com>
Cc: "W3C Credentials CG (Public List)" <public-credentials@w3.org>, Steven Rowat <steven_rowat@sunshine.net>
Great point, here are the links from my presentation (there were a couple
other presentations as well):

I think the only real problem we encountered was that (by design) WebAuthn
uses "origin" to bind authentication to a specific service. It's a solvable
problem, it will just take some conversation to figure out the pros and
cons of some of the solutions that were mentioned. At the very least, it's
implementable / demo-able now but the same DID can't be used across
multiple sites until the origin issue gets solved.

On April 12, 2018 at 10:19:06 AM, Andrew Hughes (andrewhughes3000@gmail.com)

At the Internet Identity Workshop (IIW) last week in Mountain View, there
were some sessions discussing exactly this topic - how should WebAuthn and
Verifiable Credentials and Credentials Community Group work together -
leaders from each of the efforts were in attendance.


*Andrew Hughes *CISM CISSP
*In Turn Information Management Consulting*

o  +1 650.209.7542
m +1 250.888.9474
1249 Palmer Road, Victoria, BC V8P 2H8
*Identity Management | IT Governance | Information Security *

On Thu, Apr 12, 2018 at 10:08 AM, Adam Powers <adam@fidoalliance.org> wrote:

> The quickest summary: WebAuthn is a way of generating public key pairs,
> storing a public key on a server and the private key in an "authenticator",
> and later using that key pair for authentication to a service.
> Insofar as DID is storing a public key in a DID document, that public key
> can be generated by WebAuthn and stored by DID. The most obvious overlap
> between DID and WebAuthn would be using WebAuthn as the mechanism for
> DIDAuth -- although there is still some work that needs to happen there to
> define and align the specs. In my perspective, they should be complimentary
> and not competitive.
> I hope that helps.
> Adam Powers,
> Technical Director, FIDO Alliance
> On April 12, 2018 at 9:24:03 AM, Steven Rowat (steven_rowat@sunshine.net)
> wrote:
> Greetings,
> The Guardian yesterday had a story of what appears to be a major
> announcement about how WebAuthn will replace passwords:
> https://www.theguardian.com/technology/2018/apr/11/
> passwords-webauthn-new-web-standard-designed-replace-login-method
> This included a quote showing that this is a W3C project:
> “WebAuthn will change the way that people access the Web,” said Jeff
> Jaffe, chief executive of the World Wide Web Consortium (W3C), the
> body that controls web standards."
> And after looking at the recent API spec itself, I see that it's a
> FIDO project, and so supported by Google, Microsoft, Paypal, and also
> Mozilla:
> http://www.w3.org/TR/2018/CR-webauthn-20180320/
> My Question:
> Is there any expected or known relationship between WebAuthn and the
> use of DIDs? ie., Can WebAuthn be used with DIDs? Will the uptake of
> WebAuthn preclude or inhibit the use of DIDs?
> ie., Are DID Docs and WebAuthn in competition, or are they complementary?
> Steven
Received on Friday, 13 April 2018 06:18:22 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:24:47 UTC