Re: [webauthn] Allow RPs to choose between "required" and "optional" attestation in credentials.create()

While it would be more work did Google consider using a real Privacy CA model?

The authenticator would need to produce a attestation signed by EK and a CSR signed its fixed Key containing the EK for the platform.  The platform would then send the CSR portion to the Privacy CA and get back a certificate for EK (Hence the name CA) and the platform would pass along the Authenticator generated Attestation and the Privacy CA generated cert.   That is sort of defined now but just for TPM, but could be generalized as a packed Privacy CA Attestation that the authenticator would generate for the platform.

It is a lot of work but might be a better model if Privacy were the only concern.

The first question would be how would the authenticator know what one to produce, if we were to consider something like that.  The nice thing is that you could safely have much smaller batch sizes on K and the Privacy CA learns nothing useful, but could block compromised attestation keys.

Just asking the question. 

GitHub Notification of comment by ve7jtb
Please view or discuss this issue at using your GitHub account

Received on Thursday, 12 October 2017 18:06:09 UTC