Re: [webauthn] Enable web developers to migrate keys from one domain to another

While @AngeloKai's use-case in the original posting is a valid one, the right way to address this problem is through a business transaction, and to keep the authentication protocol true to one of its core principles: preserving a user's privacy.  I fear that the  compromise of web-applications at one site may be used to exploit FIDO credentials at another site if this privacy barrier is broken at the protocol layer.

When _acquirer.com_ merges with/buys out _acquisition.net_, there is a legitimate need to know that John Doe at acquirer.com is the same as John D. at acquisition.net.  However, once the merger has concluded, it is better for a business web-application on each site to request the authenticated user on their site, to identify themselves from the other company from the merger, so they can combine "assets" and provide a better experience for the user on both sites.  The merger of user-data is for **business** purposes, so it should appropriately be relegated to a business-transaction flow.

FIDO protocols are good.  Authenticators have been implemented to store/manage from 10 to Unlimited number of key-pairs.  Having multiple key-pairs on the Authenticator - one for each domain - is not the end of the world for devices that are likely to be "free" in 18-24 months.  But to start adding technological/protocol baggage for business transactions that get done/undone/redone is (to flog the same old horse) going down the path of PKI again.  

PKI - at its core - was as elegant as FIDO once upon a time (from a cryptographical and data-structure pov).  When ill-conceived business functions were added to digital certificates (through extensions, constraints, attribute certificates, etc.), it became the proverbial Gordian Knot.  And, that is why FIDO exists today.

While I don't track all the conversations on this forum - except for occasional catches like this - please use this litmus test when evaluating whether a protocol/specification change is necessary: _Is the problem being solved a BUSINESS function?_  If so, please stop right there and let business-application developers solve it where it belongs - in their applications.  

Thank you.

-- 
GitHub Notification of comment by arshadnoor
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/458#issuecomment-321351865 using your GitHub account

Received on Wednesday, 9 August 2017 19:07:05 UTC