- From: Rolf Lindemann <rlindemann@noknok.com>
- Date: Wed, 10 Aug 2016 20:29:34 +0200
- To: "'Ghosh, Rahuldeva'" <rahuldeva.ghosh@intel.com>, "'W3C Web Authn WG'" <public-webauthn@w3.org>
- Cc: "'Bakshi, Sanjay'" <sanjay.bakshi@intel.com>, "'Sarangdhar, Nitin V'" <nitin.v.sarangdhar@intel.com>
- Message-ID: <02dd01d1f335$25081d00$6f185700$@noknok.com>
Hi Rahul, one comment: I would expect arrays tob e used to encoding a dynamic number of elements having the same semantics. More specifically it means the “outer” array is what I think we should have. 82 -- Value 1: CBOR array of length 2 indicating two factor usage But the “inner” array 83 -- Item 1: CBOR array of length 3 Should be a “struct” in my opinion (so just a concatenation of elements or a map of elements with their respective meaning (being userVerificationMethod, matcherProtectionType, keyProtectionType). Kind regards, Rolf Von: Ghosh, Rahuldeva [mailto:rahuldeva.ghosh@intel.com] Gesendet: Dienstag, 9. August 2016 06:14 An: 'W3C Web Authn WG' Cc: Bakshi, Sanjay; Sarangdhar, Nitin V Betreff: RE: returning a multi-factor authenticator's factor-in-use and protection scheme to the server - UVM extension proposal v2 Updated UVM extension proposal with fixed length array as per Vijay’s suggestion: User Verification Method (UVM) Extension Extension identifier webauthn_uvm Client argument The Boolean value true to indicate that this extension is requested by the WebAuthn Relying Party. Client processing None, except default forwarding of client argument to authenticator argument. Authenticator argument The Boolean value true, encoded in CBOR (major type 7, value 21). Authenticator processing The <https://w3c.github.io/webauthn/#authenticator> authenticator augments the authenticator data with a user verification method extension indicating the authentication factor(s) used to authorize the operation and the type of authenticator protection environment each factor was executing in, as defined below. This extension can be added to attestation statements and assertions. Authenticator data Authenticators can report up to 3 different user verification methods (factors) used in a single authentication instance. To accommodate this possibility the UVM is encoded as CBOR array (major type 4) with a maximum allowed length of 3 - Type 0x81 – only 1 factor was used for authentication. Type 0x82 – 2 factors were used. Type 0x83 – 3 or more factors were used. Each data item is in turn a CBOR array of length 3 (type 0x83) with the following data items: Data Item 1 – User Verification Method. This is the authentication method/factor used by the authenticator to verify the user. Available values are defined in the FIDO Registry of Predefined Values, ‘User Verification Methods’ section. It is encoded as a CBOR unsigned integer (Major type 0). Data Item 2 – Key Protection Type. This is the method used by the authenticator to protect the FIDO registration private key material. Available values are defined in the FIDO Registry of Predefined Values, ‘Key Protection Types’ section. It is encoded as a CBOR 2 byte unsigned short (Major type 0). Data Item 3 – Matcher Protection Type. This is the method used by the authenticator to protect the matcher that performs user verification. Available values are defined in the FIDO Registry of Predefined Values, ‘Matcher Protection Types’ section. It is encoded as a CBOR 2 byte unsigned short (Major type 0). This is repeated for each factor used in the authentication instance. If >3 factors can be used in an authentication instance the authenticator vendor must select the 3 factors it believes will be most relevant to the Server to include in the UVM. Servers supporting the UVM extension MUST support a length up to 36 bytes for a 3 factor maximum UVM value. Example for rawData containing one UVM extension for a multi-factor authentication instance where 2 factors were used: F1 D0 -- This is a WebAuthn packed rawData object 81 -- TUP and ED set 00 00 00 01 -- (initial) signature counter ... -- all public key alg etc. A1 -- extension: CBOR map of one element 6C -- Key 1: CBOR text string of 12 bytes 77 65 62 61 75 74 68 6E 2E 75 76 6d -- "webauthn_uvm" UTF-8 string 82 -- Value 1: CBOR array of length 2 indicating two factor usage 83 -- Item 1: CBOR array of length 3 02 -- Subitem 1: CBOR integer for User Verification Method Fingerprint 04 -- Subitem 2: CBOR short for Key Protection Type TEE 02 -- Subitem 3: CBOR short for Matcher Protection Type TEE 83 -- Item 2: CBOR array of length 3 04 -- Subitem 1: CBOR integer for User Verification Method Passcode 01 -- Subitem 2: CBOR short for Key Protection Type Software 01 -- Subitem 3: CBOR short for Matcher Protection Type Software Rahul From: Vijay Bharadwaj [mailto:vijaybh@microsoft.com] Sent: Monday, August 08, 2016 2:04 PM To: Ghosh, Rahuldeva <rahuldeva.ghosh@intel.com>; 'W3C Web Authn WG' <public-webauthn@w3.org> Cc: Bakshi, Sanjay <sanjay.bakshi@intel.com>; Sarangdhar, Nitin V <nitin.v.sarangdhar@intel.com> Subject: RE: returning a multi-factor authenticator's factor-in-use and protection scheme to the server - UVM extension proposal IMO it would be nicer to have the representation be as specific as possible, to help parsers and avoid creating attack surface. Any given authenticator will likely be manufactured with support for a fixed number of methods at a time (usually 1 or 2 at most) so they can still hardcode that number in their implementations. From: Ghosh, Rahuldeva [mailto:rahuldeva.ghosh@intel.com] Sent: Monday, August 08, 2016 11:22 AM To: Vijay Bharadwaj <vijaybh@microsoft.com>; 'W3C Web Authn WG' <public-webauthn@w3.org> Cc: Bakshi, Sanjay <sanjay.bakshi@intel.com>; Sarangdhar, Nitin V <nitin.v.sarangdhar@intel.com> Subject: RE: returning a multi-factor authenticator's factor-in-use and protection scheme to the server - UVM extension proposal Yep, that can be done too. I chose to take advantage of CBOR’s extendable length array mechanism and keep as many fields of the extension fixed as possible. But I am open to changing the length field to the # of entries present instead of indefinite length, especially if it keeps the server side implementation simpler. Rahul From: Vijay Bharadwaj [mailto:vijaybh@microsoft.com] Sent: Monday, August 08, 2016 9:48 AM To: Ghosh, Rahuldeva <rahuldeva.ghosh@intel.com>; 'W3C Web Authn WG' <public-webauthn@w3.org> Cc: Bakshi, Sanjay <sanjay.bakshi@intel.com>; Sarangdhar, Nitin V <nitin.v.sarangdhar@intel.com> Subject: RE: returning a multi-factor authenticator's factor-in-use and protection scheme to the server - UVM extension proposal Ø Authenticators can report up to 3 different user verification methods (factors) used in a single authentication instance. To accommodate this possibility the UVM is encoded as an indefinite length CBOR array (type 0x9F) with a maximum allowed length of 3. Why not just use the definite length form with the length set to the number of entries actually present? From: Ghosh, Rahuldeva [mailto:rahuldeva.ghosh@intel.com] Sent: Sunday, August 07, 2016 11:06 PM To: 'W3C Web Authn WG' <public-webauthn@w3.org> Cc: Bakshi, Sanjay <sanjay.bakshi@intel.com>; Sarangdhar, Nitin V <nitin.v.sarangdhar@intel.com> Subject: RE: returning a multi-factor authenticator's factor-in-use and protection scheme to the server - UVM extension proposal Here’s a proposal for the User Verification Method (UVM) extension as discussed in last week’s meeting. This extension supports multi-factor authenticators where multiple factors can potentially be in used in a single authentication instance. The max number of factors that can be reported by the extension is capped at 3 and the choice on which 3 to include, in case >3 factors are used, is left to the authenticator vendor. This of course is an extreme case, usually there will only be one factor used in any single authentication instance. Looking forward to comments. Rahul From: Hodges, Jeff [mailto:jeff.hodges@paypal.com] Sent: Tuesday, July 26, 2016 8:12 AM To: Ghosh, Rahuldeva <rahuldeva.ghosh@intel.com> Cc: W3C Web Authn WG <public-webauthn@w3.org>; Bakshi, Sanjay <sanjay.bakshi@intel.com>; Sarangdhar, Nitin V <nitin.v.sarangdhar@intel.com> Subject: Re: returning a multi-factor authenticator's factor-in-use and protection scheme to the server On 7/24/16, 11:35 PM, "Ghosh, Rahuldeva" <rahuldeva.ghosh@intel.com> wrote: I can send out a change proposal to the UVI extension if we are all ok with this approach. sure, I'm fine with reviewing such a proposal. =JeffH
Received on Wednesday, 10 August 2016 18:30:06 UTC