W3C home > Mailing lists > Public > public-credentials@w3.org > April 2018

Re: Question: WebAuthn announcement -- relation to DIDs?

From: Adam Powers <adam@fidoalliance.org>
Date: Fri, 13 Apr 2018 09:21:48 -0700
Message-ID: <CACu+4cspXW2Qaj7_oKSYHoNvTn5oBCt-mqDL=QnDpt_+Yw7crg@mail.gmail.com>
To: Stephen Curran <swcurran@cloudcompass.ca>
Cc: Andrew Hughes <andrewhughes3000@gmail.com>, "W3C Credentials CG (Public List)" <public-credentials@w3.org>, Steven Rowat <steven_rowat@sunshine.net>
My understanding* is that pairwise DIDs is a feature of Sovrin, but
potentially not a feature of other systems. If it does turn out that "all
DIDs are pairwise" is a valid assumption, the "origin issue" may be a

* - I'm new to DID and looking for education. This is largely me repeating
from what I've heard about people that are more educated about DID.

On April 13, 2018 at 9:13:21 AM, Stephen Curran (swcurran@cloudcompass.ca)

This is really encouraging to see, and from what I can tell would be huge
if/when WebAuthn and DIDs can be combined.

I'm confused on the origin issue as you frame it. I believe that most DID
implementations plan to use pairwise DIDs between an entity (person,
organization, etc.) and a service.  So a user logging in would have a DID
per service, and would not (as you show in your slides) be selecting which
existing DID to use, but would use the one specifically created for this

Is the origin issue different from that?  Or better, has someone with
sufficient knowledge of both documented somewhere the nature of the
DID-WebAuthn gap?

On Thu, Apr 12, 2018 at 11:17 PM, Adam Powers <adam@fidoalliance.org> wrote:

> Great point, here are the links from my presentation (there were a couple
> other presentations as well):
> https://drive.google.com/drive/folders/1LyYp_SZpqboIPfUa1lo9zKtNv9SIv-5I?
> usp=sharing
> I think the only real problem we encountered was that (by design) WebAuthn
> uses "origin" to bind authentication to a specific service. It's a solvable
> problem, it will just take some conversation to figure out the pros and
> cons of some of the solutions that were mentioned. At the very least, it's
> implementable / demo-able now but the same DID can't be used across
> multiple sites until the origin issue gets solved.
> On April 12, 2018 at 10:19:06 AM, Andrew Hughes (
> andrewhughes3000@gmail.com) wrote:
> At the Internet Identity Workshop (IIW) last week in Mountain View, there
> were some sessions discussing exactly this topic - how should WebAuthn and
> Verifiable Credentials and Credentials Community Group work together -
> leaders from each of the efforts were in attendance.
> andrew.
> *Andrew Hughes *CISM CISSP
> *In Turn Information Management Consulting*
> o  +1 650.209.7542
> m +1 250.888.9474
> 1249 Palmer Road, Victoria, BC V8P 2H8
> AndrewHughes3000@gmail.com
> ca.linkedin.com/pub/andrew-hughes/a/58/682/
> *Identity Management | IT Governance | Information Security *
> On Thu, Apr 12, 2018 at 10:08 AM, Adam Powers <adam@fidoalliance.org>
> wrote:
>> The quickest summary: WebAuthn is a way of generating public key pairs,
>> storing a public key on a server and the private key in an "authenticator",
>> and later using that key pair for authentication to a service.
>> Insofar as DID is storing a public key in a DID document, that public key
>> can be generated by WebAuthn and stored by DID. The most obvious overlap
>> between DID and WebAuthn would be using WebAuthn as the mechanism for
>> DIDAuth -- although there is still some work that needs to happen there to
>> define and align the specs. In my perspective, they should be complimentary
>> and not competitive.
>> I hope that helps.
>> Adam Powers,
>> Technical Director, FIDO Alliance
>> On April 12, 2018 at 9:24:03 AM, Steven Rowat (steven_rowat@sunshine.net)
>> wrote:
>> Greetings,
>> The Guardian yesterday had a story of what appears to be a major
>> announcement about how WebAuthn will replace passwords:
>> https://www.theguardian.com/technology/2018/apr/11/passwords
>> -webauthn-new-web-standard-designed-replace-login-method
>> This included a quote showing that this is a W3C project:
>> “WebAuthn will change the way that people access the Web,” said Jeff
>> Jaffe, chief executive of the World Wide Web Consortium (W3C), the
>> body that controls web standards."
>> And after looking at the recent API spec itself, I see that it's a
>> FIDO project, and so supported by Google, Microsoft, Paypal, and also
>> Mozilla:
>> http://www.w3.org/TR/2018/CR-webauthn-20180320/
>> My Question:
>> Is there any expected or known relationship between WebAuthn and the
>> use of DIDs? ie., Can WebAuthn be used with DIDs? Will the uptake of
>> WebAuthn preclude or inhibit the use of DIDs?
>> ie., Are DID Docs and WebAuthn in competition, or are they complementary?
>> Steven


Stephen Curran
Cloud Compass Computing, Inc. (C3I)

*Cell: (250) 857-1096*
Received on Friday, 13 April 2018 16:22:16 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:24:47 UTC