- From: John Bradley <ve7jtb@ve7jtb.com>
- Date: Thu, 9 Aug 2018 12:39:57 -0400
- To: Emil Lundberg <emil@yubico.com>, Markus Schräder <markus.schraeder@cryptomagic.eu>
- Cc: "public-webauthn@w3.org" <public-webauthn@w3.org>
- Message-ID: <5b6c6e5c.1c69fb81.dc35e.6037@mx.google.com>
Windows Edge supports platform a platform authenticator unlocked by Windows Hello biometrics or by a pin. At some point the OS API for the platform authenticator will be opend up to other browsers. I beleve the keys are stored in the TPM. Chrome has a platform authenticator behind a flag on OSX using the touch bar, and coming for Android. Mozilla has some sort of beta test authenticator you can turn on with a flag. The question for cross platform clients is where to store the private keys. Based on attestations RP should be able to tell if the keys are in hardware or in software. Nothing prevents an entirely software authenticator. It however may be treated differently by some RP. Our hope is that most devices will support some built in secure key storage.. There is a separation between the software client that is part of the browser and the authenticator. However the authenticator has more options than just a separate hardware device. Regards John B. Sent from Mail for Windows 10 From: Emil Lundberg Sent: Thursday, August 9, 2018 12:28 PM To: Markus Schräder Cc: public-webauthn@w3.org Subject: Re: webauthn forces people to buy hardware This is a continuation of a discussion that started in issue 1027: https://github.com/w3c/webauthn/issues/1027 >The paragraph 5. says, that Autentication has to be used on a client platform, which is in 4. defined as a client software and a client hardware binding - the software alone is not allowed to authenticate. No, the term "client platform" is defined as >A client device and a client together make up a client platform. and "client device" as >The hardware device on which the WebAuthn Client runs, for example a smartphone, a laptop computer or a desktop computer, and the operating system running on that hardware. These terms make no assumptions about whether the authenticator is implemented in hardware or pure software. >I think it is not a acceptable requirement for users to have to buy hardware to be able to use webauthn. Or more precisely: To exclude persons from webauthn who currently have no hardware to be able to be used by webauthn, or to force them to buy one. We do not expect most users to buy separate authenticator hardware in order to use WebAuthn. It's more likely that most users will use the platform authenticators integrated into their mobile devices and laptops for most use cases, some of which will likely also be made available to other devices as external authenticators via Bluetooth. I hope this goes some way to alleviate your concerns. /Emil On Thu, Aug 9, 2018 at 5:44 PM Markus Schräder <markus.schraeder@cryptomagic.eu> wrote: Hello Webautn, I want to talk about an ethical aspect of the currently webauthn paper. The paragraph 5. says, that Autentication has to be used on a client platform, which is in 4. defined as a client software and a client hardware binding - the software alone is not allowed to authenticate. I think it is not a acceptable requirement for users to have to buy hardware to be able to use webauthn. Or more precisely: To exclude persons from webauthn who currently have no hardware to be able to be used by webauthn, or to force them to buy one. Please think about this, and specify in the standard that there be at best MUST be a way to fetch a public key without a hardward binding in background if there is none. Or ask: Is the other way, forcing your users to buy hardware to regain security, realy ethically an option to you?! Regards, Markus Schräder P.S.: Are there established alternatives? The alternative established easy(!) way, which we daily use, without hardware binding just in the client software, just got removed on chrome by removing the keygen-tag and is also going to be removed by firefox soon. There is a .p12 import alternative way on windows and mac - but not for firefox. So we especially need in firefox webauthn to able to allow users to get authentication security. The thing is: The removing from chrome does not hit many users, cause you can simply import on windows and macos a .p12 file and your're done. But firefox hat its own certification store so this will not help in this case! If firefox also removes the keygen-tag, and webautn will exlude persons without a bought hardware token, you are just taking a established security feature from them. -- Markus Schräder Geschäftsführer CryptoMagic GmbH, Werner-von-Siemens Str. 6, 86159 Augsburg, https://www.cryptomagic.eu Tel: 0821 / 217 009-0 (Durchwahl: -11), Fax: 0821/217 009-99 Geschäftsführer: Markus Schräder Sitz der Gesellschaft: Augsburg; Registergericht: Amtsgericht Augsburg; Registernummer: HRB30402 USt-ID: DE305330428, St-Nr: 103/123/80744 -- Emil Lundberg Software Developer | Yubico
Received on Thursday, 9 August 2018 18:05:34 UTC