Re: Feedback on DID Auth paper from Adam Powers on 2018-06-20 (public-credentials@w3.org from June 2018)

From: Adam Powers <adam@fidoalliance.org>
Date: Wed, 20 Jun 2018 02:51:06 -0400
To: W3C Credentials CG <public-credentials@w3.org>, Markus Sabadello <markus@danubetech.com>
Message-ID: <CACu+4csNuRO4GO3M3-TfWa4zcb_o4HChtwebCo-+D2_-RWN=yw@mail.gmail.com>

Hi Markus,

Great document, thanks for putting it together.

A few initial thoughts:

1. Note that FIDO / WebAuthn authenticators currently only sign
challenges that match the origin that was used during key creation. This is
explicitly to prevent phishing. As an open issue, we need to have a
discussion around the relationships between origins and DIDs.
2. In relation to #1, do you have a security model in mind? Or some
security goals? I'm specifically wondering about the relationship between
phishing and DIDs. Here are FIDO's Security Goals
<https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-security-ref-v2.0-id-20180227.html#fido-security-goals>,
if that's of any help.
3. The WebAuthn function calls (registration, login) look very
simplified compared to the real calls. If you based these on my IIW slides
I had abstracted the calls to provide a gentle introduction, but some
purists or pedantic people might argue that your representation of WebAuthn
APIs isn't precise enough. Hopefully that doesn't happen, but I don't want
you to feel surprised or misled if it does. If you want to get ahead of the
pedantics, you can look at PublicKeyCredentialCreationOptions
<https://www.w3.org/TR/webauthn/#dictdef-publickeycredentialcreationoptions>
(register) and PublicKeyCredentialRegistrationOptions
<https://www.w3.org/TR/webauthn/#dictdef-publickeycredentialrequestoptions>
(login).

Hope that helps.

Adam

On June 19, 2018 at 1:24:39 PM, Markus Sabadello (markus@danubetech.com)
wrote:

Hello Credentials Group,

At RWoT#6 we started to work on a paper on "DID Auth", i.e. a protocol to
"prove control over a DID":
https://github.com/WebOfTrustInfo/rebooting-the-web-of-trust-spring2018/blob/master/draft-documents/did_auth_draft.md

Also known as "Super Sign On", as Moses calls it :)

This paper doesn't define such a protocol, but it tries to capture the
"collected community wisdom" on various ways how DID Auth _could_ be done.
It lists potential challenge/response formats and transports, as well as
some possible architectures how all the pieces can fit together.

In the last few weeks I've worked with Dmitri Zagidulin and other authors
and contributors to fill in the last major missing pieces, which are
currently open PRs:
- Biometrics in DID Auth
<https://github.com/WebOfTrustInfo/rebooting-the-web-of-trust-spring2018/pull/89>
- Relation to WebAuthn
<https://github.com/WebOfTrustInfo/rebooting-the-web-of-trust-spring2018/pull/90>
- Relation to OIDC
<https://github.com/WebOfTrustInfo/rebooting-the-web-of-trust-spring2018/pull/91>

There are still some minor edits and fixes we need to do, but the latest
version (with all PRs merged) can now be viewed here (temporarily in my own
fork):
https://github.com/peacekeeper/rebooting-the-web-of-trust-spring2018/blob/master/draft-documents/did_auth_draft.md

Please let us know if you have feedback or think something important is
missing or wrong (but again, this is not a spec).

Special thanks to BCGov for supporting this work!

Markus

Received on Wednesday, 20 June 2018 06:51:34 UTC