- From: Rolf Lindemann via GitHub <sysbot+gh@w3.org>
- Date: Mon, 08 Aug 2016 16:06:17 +0000
- To: public-webauthn@w3.org
>So IMO a viable alternative is to define a specific method for generating rawUVI. UVI opaqueness will still be an issue, but an authenticator would presumably not be able to stuff rawUVI with whatever it wants and survive scrutiny (e.g. by 3rd-party certification or perhaps legal means - see [1]). 1. I don't see a substantial difference in (a) specifying a requirement for computing the rawUVI (to no violate privacy etc.) and (b) specifying a concrete formula for computing the rawUVI External applications cannot verify whether an authenticator is honest about (a) or (b) (or does something else). Security certification schemes will be able to do so. 2. I am not sure we can find a way to specify rawUVI formula which is sufficiently generic to be used for all kinds of biometric modalities and implementations. 3. Given the proposed formula for UVI being UVI = HASH(publicKey, rawUVI), I don't know how any rawUVI value could be misused as a side-channel (unless HASH is cryptographically broken). -- GitHub Notification of comment by rlin1 Please view or discuss this issue at https://github.com/w3c/webauthn/issues/156#issuecomment-238285495 using your GitHub account
Received on Monday, 8 August 2016 16:06:49 UTC