W3C home > Mailing lists > Public > public-webauthn@w3.org > September 2017

Re: [webauthn] Make packed attestation format Privacy CA-friendly

From: Ki-Eun Shin via GitHub <sysbot+gh@w3.org>
Date: Fri, 29 Sep 2017 02:58:12 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-333018382-1506653879-sysbot+gh@w3.org>
In case of using Privacy-CA model, the authenticator has Endorsement key (EK) which is long-term key like attestation key in Basic Attestation model. 
In stead of using EK directly for the attestation during registration, the authenticators uses Attestation Identity Keys (AIKs) which are very short-term keys. 
These keys are generated during AIK certificate enrollment process between the authenticator and the Privacy-CA, which is trusted component and honors privacy of the authenticator. If the privacy are concerns, these keys can be generated as many as possible if there are room for maintaining the keys.
During enrollment process, Privacy-CA cannot get any information regarding RP to which the authenticator will attest.
So, if the authenticator uses different AIKs per RP during registration, the privacy of authenticators can be satisfied among different RPs.
As a result, we don't have to change toBeSigned structure for Privacy-CA type of attestation.

-- 
GitHub Notification of comment by Kieun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/584#issuecomment-333018382 using your GitHub account
Received on Friday, 29 September 2017 02:58:03 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:27 UTC