W3C home > Mailing lists > Public > public-webauthn@w3.org > August 2016

Re: [webauthn] Clarify meaning of UVI

From: Rolf Lindemann via GitHub <sysbot+gh@w3.org>
Date: Mon, 08 Aug 2016 16:06:17 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-238285495-1470672375-sysbot+gh@w3.org>
>So IMO a viable alternative is to define a specific method for 
generating rawUVI. UVI opaqueness will still be an issue, but an 
authenticator would presumably not be able to stuff rawUVI with 
whatever it wants and survive scrutiny (e.g. by 3rd-party 
certification or perhaps legal means - see [1]).

1. I don't see a substantial difference in 
(a) specifying a requirement for computing the rawUVI (to no violate 
privacy etc.) and
(b) specifying a concrete formula for computing the rawUVI
External applications cannot verify whether an authenticator is honest
 about (a) or (b) (or does something else).
Security certification schemes will be able to do so.  

2. I am not sure we can find a way to specify rawUVI formula which is 
sufficiently generic to be used for all kinds of biometric modalities 
and implementations.

3. Given the proposed formula for UVI being UVI = HASH(publicKey, 
rawUVI), I don't know how any rawUVI value could be misused as a 
side-channel (unless HASH is cryptographically broken).

-- 
GitHub Notification of comment by rlin1
Please view or discuss this issue at 
https://github.com/w3c/webauthn/issues/156#issuecomment-238285495 
using your GitHub account
Received on Monday, 8 August 2016 16:06:49 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:58:25 UTC