W3C home > Mailing lists > Public > public-webauthn@w3.org > October 2017

Re: [webauthn] Adding a choice for RP to express preferences for attestation types

From: Akshay Kumar via GitHub <sysbot+gh@w3.org>
Date: Mon, 16 Oct 2017 22:40:00 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-337064561-1508193599-sysbot+gh@w3.org>
Microsoft believes strongly that RPs MUST know the details of the device that holds a key including manufacturer, model and if relevant, a firmware version. 

Just recently a vulnerability in TPMs built by one of the main TPM manufacturers was uncovered (https://www.infineon.com/cms/en/product/promopages/rsa-update/). Cloud and internal databases have to be purged and x509 certificates revoked in response to this compromise. Attestation that specifies device details is a great data to identify weak or compromised keys. 

One could argue that a “privacy CA” could take on revocation responsibilities as well, but we know from experience that such revocation models don’t work. PKI support certificate revocation lists and OCSP responses, yet every modern browser has introduced an ability to revoke a specific TLS server certificate in a case of a compromise. This is not only because those revocation mechanism were not designed with Internet-speed security issues in mind, but because browser vendors don’t want to be at the mercy of CA operators that have reliability issues in their deployments, poor security response practices, etc. 

In conclusion, we believe that real mass security compromises are more important to address than perceived privacy problems such as mall batch device attestation. We can’t support a standard that doesn’t allow to know what type of device holds private keys we trust. Note that we do believe in privacy protection that prevent RPs from tracking specific devices so things like serial numbers or MAC addresses never need to be part of the attestation. 

Having said that, we understand other point of view and trade offs. We think, its RP's choice what behavior it wants. We need an ability for RP's to opt out of privacy CA and return the current format. The current wording of the PR does not reflect that. RP's `MUST` have an option to opt out explicitly of privacy CA if it chooses to.


-- 
GitHub Notification of comment by akshayku
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/636#issuecomment-337064561 using your GitHub account
Received on Monday, 16 October 2017 22:40:03 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:28 UTC