Re: Feedback on DID Auth paper from Markus Sabadello on 2018-06-20 (public-credentials@w3.org from June 2018)

From: Markus Sabadello <markus@danubetech.com>
Date: Wed, 20 Jun 2018 14:52:53 +0200
To: Adam Powers <adam@fidoalliance.org>, W3C Credentials CG <public-credentials@w3.org>
Message-ID: <19a415bb-bb41-b2f0-a009-72f6eebf8a62@danubetech.com>
Thanks Adam for your feedback. I already meant to reach out to you
separately, but you were faster :)

The section on DID Auth and WebAuthn is still an open PR, if you like
feel free to just propose text changes directly there:
https://github.com/WebOfTrustInfo/rebooting-the-web-of-trust-spring2018/pull/90

Yes you are right the function calls are based on your IIW slides.
I agree we could instead include the more precise data structures from
the WebAuthn spec.
I guess there's a trade-off between low-level precision, and a gentle
introduction; perhaps the latter is more useful for a document that's
just an introduction rather than a spec.

On a high level, do you think the idea is correct that the
"RegisterResponse" would contain something like a "DIDCredential" rather
than a "PublicKeyCredential", and the "SignResponse" would also include
a DID?

Regarding the origin, I don't think that would change much with DIDs.
The paper currently says "Ideally, a different DID should be used for
each WebAuthn "origin"."
Maybe we can still try to expand on this a little bit, to better explain
the relationship between DIDs and origins.

Markus

On 06/20/2018 08:51 AM, Adam Powers wrote:
> Hi Markus,
>
> Great document, thanks for putting it together.
>
> A few initial thoughts:
>
>    1. Note that FIDO / WebAuthn authenticators currently only sign
>    challenges that match the origin that was used during key creation. This is
>    explicitly to prevent phishing. As an open issue, we need to have a
>    discussion around the relationships between origins and DIDs.
>    2. In relation to #1, do you have a security model in mind? Or some
>    security goals? I'm specifically wondering about the relationship between
>    phishing and DIDs. Here are FIDO's Security Goals
>    <https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-security-ref-v2.0-id-20180227.html#fido-security-goals>,
>    if that's of any help.
>    3. The WebAuthn function calls (registration, login) look very
>    simplified compared to the real calls. If you based these on my IIW slides
>    I had abstracted the calls to provide a gentle introduction, but some
>    purists or pedantic people might argue that your representation of WebAuthn
>    APIs isn't precise enough. Hopefully that doesn't happen, but I don't want
>    you to feel surprised or misled if it does. If you want to get ahead of the
>    pedantics, you can look at PublicKeyCredentialCreationOptions
>    <https://www.w3.org/TR/webauthn/#dictdef-publickeycredentialcreationoptions>
>    (register) and PublicKeyCredentialRegistrationOptions
>    <https://www.w3.org/TR/webauthn/#dictdef-publickeycredentialrequestoptions>
>     (login).
>
> Hope that helps.
>
> Adam
>
>
>
> On June 19, 2018 at 1:24:39 PM, Markus Sabadello (markus@danubetech.com)
> wrote:
>
> Hello Credentials Group,
>
> At RWoT#6 we started to work on a paper on "DID Auth", i.e. a protocol to
> "prove control over a DID":
> https://github.com/WebOfTrustInfo/rebooting-the-web-of-trust-spring2018/blob/master/draft-documents/did_auth_draft.md
>
> Also known as "Super Sign On", as Moses calls it :)
>
> This paper doesn't define such a protocol, but it tries to capture the
> "collected community wisdom" on various ways how DID Auth _could_ be done.
> It lists potential challenge/response formats and transports, as well as
> some possible architectures how all the pieces can fit together.
>
> In the last few weeks I've worked with Dmitri Zagidulin and other authors
> and contributors to fill in the last major missing pieces, which are
> currently open PRs:
> - Biometrics in DID Auth
> <https://github.com/WebOfTrustInfo/rebooting-the-web-of-trust-spring2018/pull/89>
> - Relation to WebAuthn
> <https://github.com/WebOfTrustInfo/rebooting-the-web-of-trust-spring2018/pull/90>
> - Relation to OIDC
> <https://github.com/WebOfTrustInfo/rebooting-the-web-of-trust-spring2018/pull/91>
>
> There are still some minor edits and fixes we need to do, but the latest
> version (with all PRs merged) can now be viewed here (temporarily in my own
> fork):
> https://github.com/peacekeeper/rebooting-the-web-of-trust-spring2018/blob/master/draft-documents/did_auth_draft.md
>
> Please let us know if you have feedback or think something important is
> missing or wrong (but again, this is not a spec).
>
> Special thanks to BCGov for supporting this work!
>
> Markus
>
Received on Wednesday, 20 June 2018 12:53:21 UTC