W3C home > Mailing lists > Public > public-webauthn@w3.org > September 2017

[webauthn] Make packed attestation format Privacy CA-friendly

From: balfanz via GitHub <sysbot+gh@w3.org>
Date: Tue, 26 Sep 2017 23:44:20 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-260803147-1506469448-sysbot+gh@w3.org>
balfanz has just created a new issue for https://github.com/w3c/webauthn:

== Make packed attestation format Privacy CA-friendly ==
Currently, the packed attestation format requires that the attestation key sign over - among other things - the RP ID hash and client data hash.

If/when we move to a Privacy CA model - in which the attestation signature generated by the authenticator is replaced by the attestation signature generated by the Privacy CA - it is desirable that the Privacy CA not learn the identity of the Relying Party that the user is signing into. But that identity is easily recoverable from the RP ID hash and - possibly (although unlikely) - from the client data hash.

Therefore, the packed attestation format should be changed to require that the attestation key sign over the newly-generated credential public key, and the newly-generated credential private key sign over the RP ID hash and client data hash.

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/584 using your GitHub account
Received on Tuesday, 26 September 2017 23:44:14 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:27 UTC