Re: webauthn forces people to buy hardware from Markus Schräder on 2018-08-09 (public-webauthn@w3.org from August 2018)

From: Markus Schräder <markus.schraeder@cryptomagic.eu>
Date: Thu, 9 Aug 2018 19:19:49 +0200
To: John Bradley <ve7jtb@ve7jtb.com>, "public-webauthn@w3.org" <public-webauthn@w3.org>
Message-ID: <5e378e7c-1480-33eb-e6c3-5896e0483d79@cryptomagic.eu>
Hi John,

it is understandable that a vendor of hardware tokens, here yubico, 
likes the idea that - at least some - people are force to buy a hardware 
from them.

I think a paper from/for webbrowser vendors should not support this 
behavior and makes clear that a only software authenticator MUST be 
implemented so this does not lead to a abuse of power by forcing the 
users to buy this hardware.

You can say that this cases you mentioned makes this problem away - I 
just do not think so. Any user who gets forced to buy this hardware, 
without any need, is in my eyes a user too much. There is just no need 
to not allow this, if you show the user a warning - maybe every login - 
that this could be more secure by a hardware token. But to not ensure 
that the user can do without - already in the paper - is for me 
abusement of your power.

A paper should in my eyes also mention this ethical aspect and not just 
skip this by cases where this is not a problem. I think nobody should 
support this interest of companies like yubico, also not for security - 
what by the way is not given at all: Also a hardware token do not 
prevent man-in-the-middle attacks. It only stops copying keys - but this 
is another disussion.

Regards,
Markus Schraeder


On 09.08.2018 18:39, John Bradley wrote:
>
> Windows Edge supports platform a platform authenticator unlocked by 
> Windows Hello biometrics or by a pin.   At some point the OS API for 
> the platform authenticator will be opend up to other browsers.   I 
> beleve the keys are stored in the TPM.
>
> Chrome has a platform authenticator behind a flag on OSX using the 
> touch bar,  and coming for Android.
>
> Mozilla has some sort of beta test authenticator you can turn on with 
> a flag.
>
> The question for cross platform clients is where to store the private 
> keys.
>
> Based on attestations RP should be able to tell if the keys are in 
> hardware or in software.
>
> Nothing prevents an entirely software authenticator.  It however may 
> be treated differently by some RP.
>
> Our hope is that most devices will support some built in secure key 
> storage.
>
> There is a separation between the software client that is part of the 
> browser and the authenticator. However the authenticator has more 
> options than just a separate hardware device.
>
> Regards
>
> John B.
>
> Sent from Mail <https://go.microsoft.com/fwlink/?LinkId=550986> for 
> Windows 10
>
> *From: *Emil Lundberg <mailto:emil@yubico.com>
> *Sent: *Thursday, August 9, 2018 12:28 PM
> *To: *Markus Schräder <mailto:markus.schraeder@cryptomagic.eu>
> *Cc: *public-webauthn@w3.org <mailto:public-webauthn@w3.org>
> *Subject: *Re: webauthn forces people to buy hardware
>
> This is a continuation of a discussion that started in issue 1027: 
> https://github.com/w3c/webauthn/issues/1027
>
> >The paragraph 5. says, that Autentication has to be used on a client 
> platform, which is in 4. defined as a client software and a client 
> *hardware binding* - the software alone is not allowed to authenticate.
>
> No, the term "client platform 
> <https://w3c.github.io/webauthn/#client-platform>" is defined as
>
> >A client device <https://w3c.github.io/webauthn/#client-device> and a 
> client <https://w3c.github.io/webauthn/#client> together make up a 
> client platform <https://w3c.github.io/webauthn/#client-platform>.
>
> and "client device <https://w3c.github.io/webauthn/#client-device>" as
>
> >The hardware device on which the WebAuthn Client 
> <https://w3c.github.io/webauthn/#webauthn-client> runs, for example a 
> smartphone, a laptop computer or a desktop computer, and the operating 
> system running on that hardware.
>
> These terms make no assumptions about whether the authenticator is 
> implemented in hardware or pure software.
>
> >I think it is not a acceptable requirement for users to have to buy 
> hardware to be able to use webauthn. Or more precisely: To exclude 
> persons from webauthn who currently have no hardware to be able to be 
> used by webauthn, or to force them to buy one.
>
> We do not expect most users to buy separate authenticator hardware in 
> order to use WebAuthn. It's more likely that most users will use the 
> platform authenticators integrated into their mobile devices and 
> laptops for most use cases, some of which will likely also be made 
> available to other devices as external authenticators via Bluetooth.
>
> I hope this goes some way to alleviate your concerns.
>
> /Emil
>
> On Thu, Aug 9, 2018 at 5:44 PM Markus Schräder 
> <markus.schraeder@cryptomagic.eu 
> <mailto:markus.schraeder@cryptomagic.eu>> wrote:
>
>     Hello Webautn,
>
>     I want to talk about an ethical aspect of the currently webauthn
>     paper.
>
>     The paragraph 5. says, that Autentication has to be used on a
>     client platform, which is in 4. defined as a client software and a
>     client *hardware binding* - the software alone is not allowed to
>     authenticate.
>
>     I think it is not a acceptable requirement for users to have to
>     buy hardware to be able to use webauthn. Or more precisely: To
>     exclude persons from webauthn who currently have no hardware to be
>     able to be used by webauthn, or to force them to buy one.
>
>     Please think about this, and specify in the standard that there be
>     at best MUST be a way to fetch a public key without a hardward
>     binding in background if there is none.
>
>     Or ask: Is the other way, forcing your users to buy hardware to
>     regain security, realy ethically an option to you?!
>
>     Regards,
>     Markus Schräder
>
>     P.S.: Are there established alternatives?
>
>     The alternative established easy(!) way, which we daily use,
>     *without hardware binding* just in the client software, just got
>     removed on chrome by removing the keygen-tag and is also going to
>     be removed by firefox soon. There is a .p12 import alternative way
>     on windows and mac - but not for firefox. So we especially need in
>     firefox webauthn to able to allow users to get authentication
>     security.
>
>     The thing is: The removing from chrome does not hit many users,
>     cause you can simply import on windows and macos a .p12 file and
>     your're done. But firefox hat its own certification store so this
>     will not help in this case! If firefox also removes the
>     keygen-tag, and webautn will exlude persons without a bought
>     hardware token, you are just taking a established security feature
>     from them.
>
>     -- 
>
>     Markus Schräder
>
>     Geschäftsführer
>
>     CryptoMagic GmbH,Werner-von-Siemens Str. 6, 86159 Augsburg
>     <https://maps.google.com/?q=Werner-von-Siemens+Str.+6,+86159+Augsburg&entry=gmail&source=g>,https://www.cryptomagic.eu
>
>     Tel: 0821 / 217 009-0 (Durchwahl: -11), Fax: 0821/217 009-99
>
>     Geschäftsführer: Markus Schräder
>
>     Sitz der Gesellschaft: Augsburg; Registergericht: Amtsgericht Augsburg; Registernummer: HRB30402
>
>     USt-ID: DE305330428, St-Nr: 103/123/80744
>
> -- 
>
> *Emil Lundberg*
>
> Software Developer | *Yubico* <http://www.yubico.com/>
>

-- 
Markus Schräder
Geschäftsführer

CryptoMagic GmbH, Werner-von-Siemens Str. 6, 86159 Augsburg, https://www.cryptomagic.eu
Tel: 0821 / 217 009-0 (Durchwahl: -11), Fax: 0821/217 009-99
Geschäftsführer: Markus Schräder
Sitz der Gesellschaft: Augsburg; Registergericht: Amtsgericht Augsburg; Registernummer: HRB30402
USt-ID: DE305330428, St-Nr: 103/123/80744
Received on Thursday, 9 August 2018 17:20:21 UTC