webauthn forces people to buy hardware from Markus Schräder on 2018-08-09 (public-webauthn@w3.org from August 2018)

From: Markus Schräder <markus.schraeder@cryptomagic.eu>
Date: Thu, 9 Aug 2018 10:39:48 +0200
To: public-webauthn@w3.org
Message-ID: <2bcceef3-0d4e-e524-970a-899e4386ad51@cryptomagic.eu>

Hello Webautn,

I want to talk about an ethical aspect of the currently webauthn paper.

The paragraph 5. says, that Autentication has to be used on a client 
platform, which is in 4. defined as a client software and a client 
*hardware**binding* - the software alone is not allowed to authenticate.

I think it is not a acceptable requirement for users to have to buy 
hardware to be able to use webauthn. Or more precisely: To exclude 
persons from webauthn who currently have no hardware to be able to be 
used by webauthn, or to force them to buy one.

Please think about this, and specify in the standard that there be at 
best MUST be a way to fetch a public key without a hardward binding in 
background if there is none.

Or ask: Is the other way, forcing your users to buy hardware to regain 
security, realy ethically an option to you?!

Regards,
Markus Schräder

P.S.: Are there established alternatives?

The alternative established easy(!) way, which we daily use, *without 
hardware binding* just in the client software, just got removed on 
chrome by removing the keygen-tag and is also going to be removed by 
firefox soon. There is a .p12 import alternative way on windows and mac 
- but not for firefox. So we especially need in firefox webauthn to able 
to allow users to get authentication security.

The thing is: The removing from chrome does not hit many users, cause 
you can simply import on windows and macos a .p12 file and your're done. 
But firefox hat its own certification store so this will not help in 
this case! If firefox also removes the keygen-tag, and webautn will 
exlude persons without a bought hardware token, you are just taking a 
established security feature from them.

-- 

Markus Schräder
Geschäftsführer

CryptoMagic GmbH, Werner-von-Siemens Str. 6, 86159 Augsburg, https://www.cryptomagic.eu
Tel: 0821 / 217 009-0 (Durchwahl: -11), Fax: 0821/217 009-99
Geschäftsführer: Markus Schräder
Sitz der Gesellschaft: Augsburg; Registergericht: Amtsgericht Augsburg; Registernummer: HRB30402
USt-ID: DE305330428, St-Nr: 103/123/80744

Received on Thursday, 9 August 2018 15:43:43 UTC