Re: Question: WebAuthn announcement -- relation to DIDs? from Adrian Gropper on 2018-04-14 (public-credentials@w3.org from April 2018)

From: Adrian Gropper <agropper@healthurl.com>
Date: Sat, 14 Apr 2018 15:59:09 +0000
To: markchipman@gmail.com
Cc: Adam Powers <adam@fidoalliance.org>, Credentials CG <public-credentials@w3.org>, Steven Rowat <steven_rowat@sunshine.net>
Message-ID: <CANYRo8hyq-NsSix=uwwqfE0tssORv=8SSgC-vnxH8=+poeF4kg@mail.gmail.com>
I’ve not kept up with FIDO. Last I recall, the centralization was in the
form of a certificate issued by the vendor to the secure elment that itself
had no serial number that would identify the specific SE to a relying
party. This, in and of itself, does not seem to enable lock-in or
correlation. It seems similar to Apple saying their SE does not leak serial
numbers if I recall that correctly.

What am I missing?

Adrian

On Sat, Apr 14, 2018 at 9:10 AM Mark Chipman <markchipman@gmail.com> wrote:

> Re: " Interesting. This "can't be used across multiple sites", as I
> understand it, was a major reason why Verifiable Credentials and then DID
> have been developed -- to give the user/owner the control over their own
> identity data, so they can move from site to site and their data isn't
> locked in by a single vendor system.
>
>
> So, this is still a major problem; and one which, perhaps, many vendors in
> the FIDO alliance would rather wasn't solved? Because I think it's fair to
> say that at least some of the large corporations involved have a business
> model that depends on having that data all to themselves."
>
> I couldn't agree more with Steven's point!... especially this: " perhaps,
> many vendors in the FIDO alliance would rather wasn't solved?"  We need to
> avoid vendor lock-in.
>
> - Mark Chipman
>
> On Fri, Apr 13, 2018 at 10:10 AM, Steven Rowat <steven_rowat@sunshine.net>
> wrote:
>
>> On 2018-04-12 11:17 PM, Adam Powers wrote:
>>
>>> Great point, here are the links from my presentation (there were a
>>> couple other presentations as well):
>>>
>>> https://drive.google.com/drive/folders/1LyYp_SZpqboIPfUa1lo9zKtNv9SIv-5I?usp=sharing
>>>
>>> I think the only real problem we encountered was that (by design)
>>> WebAuthn uses "origin" to bind authentication to a specific service. It's a
>>> solvable problem, it will just take some conversation to figure out the
>>> pros and cons of some of the solutions that were mentioned. At the very
>>> least, it's implementable / demo-able now but the same DID can't be used
>>> across multiple sites until the origin issue gets solved.
>>>
>>
>> Interesting. This "can't be used across multiple sites", as I understand
>> it, was a major reason why Verifiable Credentials and then DID have been
>> developed -- to give the user/owner the control over their own identity
>> data, so they can move from site to site and their data isn't locked in by
>> a single vendor system.
>>
>> So, this is still a major problem; and one which, perhaps, many vendors
>> in the FIDO alliance would rather wasn't solved? Because I think it's fair
>> to say that at least some of the large corporations involved have a
>> business model that depends on having that data all to themselves.
>>
>> And it seems, based on the presentation linked above, that this is
>> relatively easy to solve, technically; or if not easy, at least doable.
>>
>> Yet will it be done? Because it doesn't seem easy to predict how it will
>> all play out politically.
>>
>> IMO that may depend on there being sufficient demand for DID that the
>> WebAuthn can't ignore it, even if some of those supporting WebAuthn would
>> actually rather DID just failed. ;-)
>>
>>
>> Steven Rowat
>>
>>
>>
>>> On April 12, 2018 at 10:19:06 AM, Andrew Hughes (
>>> andrewhughes3000@gmail.com <mailto:andrewhughes3000@gmail.com>) wrote:
>>>
>>> At the Internet Identity Workshop (IIW) last week in Mountain View,
>>>> there were some sessions discussing exactly this topic - how should
>>>> WebAuthn and Verifiable Credentials and Credentials Community Group work
>>>> together - leaders from each of the efforts were in attendance.
>>>>
>>>> andrew.
>>>>
>>>> *Andrew Hughes *CISM CISSP
>>>> *In Turn Information Management Consulting*
>>>>
>>>> o  +1 650.209.7542
>>>> m +1 250.888.9474
>>>> 1249 Palmer Road, Victoria, BC V8P 2H8
>>>> <https://maps.google.com/?q=1249+Palmer+Road,%C2%A0Victoria,+BC+V8P+2H8&entry=gmail&source=g>
>>>> AndrewHughes3000@gmail.com <mailto:AndrewHughes3000@gmail.com>
>>>> ca.linkedin.com/pub/andrew-hughes/a/58/682/ <
>>>> http://ca.linkedin.com/pub/andrew-hughes/a/58/682/>
>>>> *Identity Management | IT Governance | Information Security *
>>>>
>>>>
>>>> On Thu, Apr 12, 2018 at 10:08 AM, Adam Powers <adam@fidoalliance.org
>>>> <mailto:adam@fidoalliance.org>> wrote:
>>>>
>>>>     The quickest summary: WebAuthn is a way of generating public key
>>>>     pairs, storing a public key on a server and the private key in
>>>>     an "authenticator", and later using that key pair for
>>>>     authentication to a service.
>>>>
>>>>     Insofar as DID is storing a public key in a DID document, that
>>>>     public key can be generated by WebAuthn and stored by DID. The
>>>>     most obvious overlap between DID and WebAuthn would be using
>>>>     WebAuthn as the mechanism for DIDAuth -- although there is still
>>>>     some work that needs to happen there to define and align the
>>>>     specs. In my perspective, they should be complimentary and not
>>>>     competitive.
>>>>
>>>>     I hope that helps.
>>>>
>>>>     Adam Powers,
>>>>     Technical Director, FIDO Alliance
>>>>
>>>>
>>>>
>>>>     On April 12, 2018 at 9:24:03 AM, Steven Rowat
>>>>     (steven_rowat@sunshine.net <mailto:steven_rowat@sunshine.net>)
>>>>
>>>>     wrote:
>>>>
>>>>     Greetings,
>>>>>
>>>>>     The Guardian yesterday had a story of what appears to be a major
>>>>>     announcement about how WebAuthn will replace passwords:
>>>>>
>>>>>
>>>>> https://www.theguardian.com/technology/2018/apr/11/passwords-webauthn-new-web-standard-designed-replace-login-method
>>>>>     <
>>>>> https://www.theguardian.com/technology/2018/apr/11/passwords-webauthn-new-web-standard-designed-replace-login-method
>>>>> >
>>>>>
>>>>>     This included a quote showing that this is a W3C project:
>>>>>
>>>>>     “WebAuthn will change the way that people access the Web,” said
>>>>>     Jeff
>>>>>     Jaffe, chief executive of the World Wide Web Consortium (W3C), the
>>>>>     body that controls web standards."
>>>>>
>>>>>     And after looking at the recent API spec itself, I see that it's a
>>>>>     FIDO project, and so supported by Google, Microsoft, Paypal,
>>>>>     and also
>>>>>     Mozilla:
>>>>>
>>>>>     http://www.w3.org/TR/2018/CR-webauthn-20180320/
>>>>>     <http://www.w3.org/TR/2018/CR-webauthn-20180320/>
>>>>>
>>>>>     My Question:
>>>>>
>>>>>     Is there any expected or known relationship between WebAuthn
>>>>>     and the
>>>>>     use of DIDs? ie., Can WebAuthn be used with DIDs? Will the
>>>>>     uptake of
>>>>>     WebAuthn preclude or inhibit the use of DIDs?
>>>>>
>>>>>     ie., Are DID Docs and WebAuthn in competition, or are they
>>>>>     complementary?
>>>>>
>>>>>     Steven
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>
>
>
> --
> - Mark
>
-- 

Adrian Gropper MD

PROTECT YOUR FUTURE - RESTORE Health Privacy!
HELP us fight for the right to control personal health data.
DONATE: https://patientprivacyrights.org/donate-3/
Received on Saturday, 14 April 2018 15:59:45 UTC