- From: Markus Schräder <markus.schraeder@cryptomagic.eu>
- Date: Thu, 9 Aug 2018 21:15:37 +0200
- To: "public-webauthn@w3.org" <public-webauthn@w3.org>
- Message-ID: <52a16097-920a-83b2-de5e-7e1e8d5faed9@cryptomagic.eu>
Hi John, maybe your're right and I am misunderstanding the wording, you proofed the possibilty to implement it different to my interpretation. I have tested and filed a bug on mozilla, lets see whats happening: https://bugzilla.mozilla.org/show_bug.cgi?id=1481890 If nobody else reads it as a buing force for users, then let it be as it is. Maybe only my opinion, or may only my preference doing this kind of things different for a worldwide community. Regards, Markus Schraeder On 09.08.2018 20:03, John Bradley wrote: > > PS I think you need to turn off > > security.webauth.webauthn_enable_usbtoken;false > > Or it looks for an external token first. > > I just tested it on Microsoft’s webauthn test site > > https://webauthntest.azurewebsites.net/ > > It works but FireFox is not prompting for user presence so I would not > use it myself. > > Perhaps you can contribute a better one. > > Regards > > John B. > > Sent from Mail <https://go.microsoft.com/fwlink/?LinkId=550986> for > Windows 10 > > *From: *John Bradley <mailto:ve7jtb@ve7jtb.com> > *Sent: *Thursday, August 9, 2018 1:55 PM > *To: *Markus Schräder <mailto:markus.schraeder@cryptomagic.eu>; > Anthony Nadalin <mailto:tonynad@microsoft.com>; public-webauthn@w3.org > <mailto:public-webauthn@w3.org> > *Subject: *RE: webauthn forces people to buy hardware > > FireFox go to about:config > > Turn on > > security.webauth.webauthn;true > > and > > security.webauth.webauthn_enable_softtoken;true > > At least those are the flags in nightly. > > The softtoken is still in development, and probably not for production > yet if ever. > > One of the FireFox people can comment on that. > > My point being that it exists and is not precluded by the specification. > > John B. > > Sent from Mail <https://go.microsoft.com/fwlink/?LinkId=550986> for > Windows 10 > > *From: *Markus Schräder <mailto:markus.schraeder@cryptomagic.eu> > *Sent: *Thursday, August 9, 2018 1:40 PM > *To: *Anthony Nadalin <mailto:tonynad@microsoft.com>; > public-webauthn@w3.org <mailto:public-webauthn@w3.org> > *Subject: *Re: webauthn forces people to buy hardware > > For example the current demos for firefox just do not work on my > system, cause there is now hardware device in background, yes, no > yubico device. So I now must ... lets guess... buy a yubico hardware > device to get webauthn working? > > > TPM is integrated inside Intel HW which is used for protection of HW > keys and hence as long as the PC ships in TPM enabled mode there is no > need to purchase additional HW to meet this requirement. > > What if I hava computer without or deactivated TPM? > > Do you still see no issue? > > For exactly this cases it should be ensured that every vendor has a > fallback via just software implemented, or the user get no security > without buying hardware. > > On 09.08.2018 19:29, Anthony Nadalin wrote: > > In the case that the device runs Windows there is no extra > hardware to purchase, also there is no requirement for hardware, > these can also be software keys, so I don’t see any issue here > > *From:*Markus Schräder <markus.schraeder@cryptomagic.eu> > <mailto:markus.schraeder@cryptomagic.eu> > *Sent:* Thursday, August 9, 2018 10:20 AM > *To:* John Bradley <ve7jtb@ve7jtb.com> <mailto:ve7jtb@ve7jtb.com>; > public-webauthn@w3.org <mailto:public-webauthn@w3.org> > *Subject:* Re: webauthn forces people to buy hardware > > Hi John, > > it is understandable that a vendor of hardware tokens, here > yubico, likes the idea that - at least some - people are force to > buy a hardware from them. > > I think a paper from/for webbrowser vendors should not support > this behavior and makes clear that a only software authenticator > MUST be implemented so this does not lead to a abuse of power by > forcing the users to buy this hardware. > > You can say that this cases you mentioned makes this problem away > - I just do not think so. Any user who gets forced to buy this > hardware, without any need, is in my eyes a user too much. There > is just no need to not allow this, if you show the user a warning > - maybe every login - that this could be more secure by a hardware > token. But to not ensure that the user can do without - already in > the paper - is for me abusement of your power. > > A paper should in my eyes also mention this ethical aspect and not > just skip this by cases where this is not a problem. I think > nobody should support this interest of companies like yubico, also > not for security - what by the way is not given at all: Also a > hardware token do not prevent man-in-the-middle attacks. It only > stops copying keys - but this is another disussion. > > Regards, > Markus Schraeder > > On 09.08.2018 18:39, John Bradley wrote: > > Windows Edge supports platform a platform authenticator > unlocked by Windows Hello biometrics or by a pin. At some > point the OS API for the platform authenticator will be opend > up to other browsers. I beleve the keys are stored in the TPM. > > Chrome has a platform authenticator behind a flag on OSX using > the touch bar, and coming for Android. > > Mozilla has some sort of beta test authenticator you can turn > on with a flag. > > The question for cross platform clients is where to store the > private keys. > > Based on attestations RP should be able to tell if the keys > are in hardware or in software. > > Nothing prevents an entirely software authenticator. It > however may be treated differently by some RP. > > Our hope is that most devices will support some built in > secure key storage. > > There is a separation between the software client that is part > of the browser and the authenticator. However the > authenticator has more options than just a separate hardware > device. > > Regards > > John B. > > Sent from Mail > <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgo.microsoft.com%2Ffwlink%2F%3FLinkId%3D550986&data=02%7C01%7Ctonynad%40microsoft.com%7C5c1ccde3575a4c56599a08d5fe1c7c92%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636694320675774513&sdata=%2FJvKsQzgguxS9OHoQFl%2BN2%2FoQl2M8kQC%2BOWVCTF%2B8YQ%3D&reserved=0> > for Windows 10 > > *From: *Emil Lundberg <mailto:emil@yubico.com> > *Sent: *Thursday, August 9, 2018 12:28 PM > *To: *Markus Schräder <mailto:markus.schraeder@cryptomagic.eu> > *Cc: *public-webauthn@w3.org <mailto:public-webauthn@w3.org> > *Subject: *Re: webauthn forces people to buy hardware > > This is a continuation of a discussion that started in issue > 1027: https://github.com/w3c/webauthn/issues/1027 > <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fw3c%2Fwebauthn%2Fissues%2F1027&data=02%7C01%7Ctonynad%40microsoft.com%7C5c1ccde3575a4c56599a08d5fe1c7c92%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636694320675784517&sdata=o1Nw6d%2FlZ%2BghbQnPON0hsN%2F9gBQSR2o%2Bm9uEr14sl1k%3D&reserved=0> > > >The paragraph 5. says, that Autentication has to be used on a > client platform, which is in 4. defined as a client software > and a client *hardware binding* - the software alone is not > allowed to authenticate. > > No, the term "client platform > <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fw3c.github.io%2Fwebauthn%2F%23client-platform&data=02%7C01%7Ctonynad%40microsoft.com%7C5c1ccde3575a4c56599a08d5fe1c7c92%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636694320675794521&sdata=u5kT%2BD5wOE6FYPA%2FEFLU1dkkhNSNWDKkjBqX7LHHKWM%3D&reserved=0>" > is defined as > > >A client device > <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fw3c.github.io%2Fwebauthn%2F%23client-device&data=02%7C01%7Ctonynad%40microsoft.com%7C5c1ccde3575a4c56599a08d5fe1c7c92%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636694320675794521&sdata=rrYPIufqnHLbPPrcqyhcSdLycO6IKb8kGIWG31aB%2BTE%3D&reserved=0> > and a client > <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fw3c.github.io%2Fwebauthn%2F%23client&data=02%7C01%7Ctonynad%40microsoft.com%7C5c1ccde3575a4c56599a08d5fe1c7c92%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636694320675804530&sdata=GaLLQ%2FNMQCVLSrc8Kw%2BpduuoNHC5qcTsuJW6BtLa578%3D&reserved=0> > together make up a client platform > <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fw3c.github.io%2Fwebauthn%2F%23client-platform&data=02%7C01%7Ctonynad%40microsoft.com%7C5c1ccde3575a4c56599a08d5fe1c7c92%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636694320675804530&sdata=reIfkG8ilmkCkps5QOpcvmYq8x%2B6FDYJuSI1dc4NSiI%3D&reserved=0>. > > and "client device > <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fw3c.github.io%2Fwebauthn%2F%23client-device&data=02%7C01%7Ctonynad%40microsoft.com%7C5c1ccde3575a4c56599a08d5fe1c7c92%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636694320675814546&sdata=2hQczhu43DZD3AkVeAFDF9vFBMwlOZjNmQGdE5NKeg0%3D&reserved=0>" > as > > >The hardware device on which the WebAuthn Client > <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fw3c.github.io%2Fwebauthn%2F%23webauthn-client&data=02%7C01%7Ctonynad%40microsoft.com%7C5c1ccde3575a4c56599a08d5fe1c7c92%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636694320675814546&sdata=tAMo4u7W60GtBzby76Hj%2FTKO%2BACSOSoPDUs5qV4vwG4%3D&reserved=0> > runs, for example a smartphone, a laptop computer or a desktop > computer, and the operating system running on that hardware. > > These terms make no assumptions about whether the > authenticator is implemented in hardware or pure software. > > >I think it is not a acceptable requirement for users to have to > buy hardware to be able to use webauthn. Or more precisely: To > exclude persons from webauthn who currently have no hardware > to be able to be used by webauthn, or to force them to buy one. > > We do not expect most users to buy separate authenticator > hardware in order to use WebAuthn. It's more likely that most > users will use the platform authenticators integrated into > their mobile devices and laptops for most use cases, some of > which will likely also be made available to other devices as > external authenticators via Bluetooth. > > I hope this goes some way to alleviate your concerns. > > /Emil > > On Thu, Aug 9, 2018 at 5:44 PM Markus Schräder > <markus.schraeder@cryptomagic.eu > <mailto:markus.schraeder@cryptomagic.eu>> wrote: > > Hello Webautn, > > I want to talk about an ethical aspect of the currently > webauthn paper. > > The paragraph 5. says, that Autentication has to be used > on a client platform, which is in 4. defined as a client > software and a client *hardware binding* - the software > alone is not allowed to authenticate. > > I think it is not a acceptable requirement for users to > have to buy hardware to be able to use webauthn. Or more > precisely: To exclude persons from webauthn who currently > have no hardware to be able to be used by webauthn, or to > force them to buy one. > > Please think about this, and specify in the standard that > there be at best MUST be a way to fetch a public key > without a hardward binding in background if there is none. > > Or ask: Is the other way, forcing your users to buy > hardware to regain security, realy ethically an option to > you?! > > Regards, > Markus Schräder > > P.S.: Are there established alternatives? > > The alternative established easy(!) way, which we daily > use, *without hardware binding* just in the client > software, just got removed on chrome by removing the > keygen-tag and is also going to be removed by firefox > soon. There is a .p12 import alternative way on windows > and mac - but not for firefox. So we especially need in > firefox webauthn to able to allow users to get > authentication security. > > The thing is: The removing from chrome does not hit many > users, cause you can simply import on windows and macos a > .p12 file and your're done. But firefox hat its own > certification store so this will not help in this case! If > firefox also removes the keygen-tag, and webautn will > exlude persons without a bought hardware token, you are > just taking a established security feature from them. > > -- > > Markus Schräder > > Geschäftsführer > > > > CryptoMagic GmbH,Werner-von-Siemens Str. 6, 86159 Augsburg > <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmaps.google.com%2F%3Fq%3DWerner-von-Siemens%2BStr.%2B6%2C%2B86159%2BAugsburg%26entry%3Dgmail%26source%3Dg&data=02%7C01%7Ctonynad%40microsoft.com%7C5c1ccde3575a4c56599a08d5fe1c7c92%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636694320675824555&sdata=vAe1GIXkO89DxL6Q2XtLQfdTUiRYZtXEp0OErs7Otso%3D&reserved=0>,https://www.cryptomagic.eu > <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.cryptomagic.eu&data=02%7C01%7Ctonynad%40microsoft.com%7C5c1ccde3575a4c56599a08d5fe1c7c92%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636694320675834563&sdata=yMf4O02TNdGeshzhNvn3EfBwmD6z1D93Qid0oSyxoSo%3D&reserved=0> > > Tel: 0821 / 217 009-0 (Durchwahl: -11), Fax: 0821/217 009-99 > > Geschäftsführer: Markus Schräder > > Sitz der Gesellschaft: Augsburg; Registergericht: Amtsgericht Augsburg; Registernummer: HRB30402 > > USt-ID: DE305330428, St-Nr: 103/123/80744 > > -- > > *Emil Lundberg* > > Software Developer | *Yubico* > <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.yubico.com%2F&data=02%7C01%7Ctonynad%40microsoft.com%7C5c1ccde3575a4c56599a08d5fe1c7c92%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636694320675834563&sdata=HayJPCYLLYZYmOdaDUVC2MCVzKI2tRKBehUJFOF%2Fb7I%3D&reserved=0> > > > > -- > > Markus Schräder > > Geschäftsführer > > > > CryptoMagic GmbH, Werner-von-Siemens Str. 6, 86159 Augsburg,https://www.cryptomagic.eu > <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.cryptomagic.eu&data=02%7C01%7Ctonynad%40microsoft.com%7C5c1ccde3575a4c56599a08d5fe1c7c92%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636694320675844567&sdata=Rca3gdJUDAzNW%2BDo69UiaoffOepHcWn62NYeMJaoPYk%3D&reserved=0> > > Tel: 0821 / 217 009-0 (Durchwahl: -11), Fax: 0821/217 009-99 > > Geschäftsführer: Markus Schräder > > Sitz der Gesellschaft: Augsburg; Registergericht: Amtsgericht Augsburg; Registernummer: HRB30402 > > USt-ID: DE305330428, St-Nr: 103/123/80744 > > -- > Markus Schräder > Geschäftsführer > CryptoMagic GmbH, Werner-von-Siemens Str. 6, 86159 Augsburg,https://www.cryptomagic.eu > Tel: 0821 / 217 009-0 (Durchwahl: -11), Fax: 0821/217 009-99 > Geschäftsführer: Markus Schräder > Sitz der Gesellschaft: Augsburg; Registergericht: Amtsgericht Augsburg; Registernummer: HRB30402 > USt-ID: DE305330428, St-Nr: 103/123/80744 > -- Markus Schräder Geschäftsführer CryptoMagic GmbH, Werner-von-Siemens Str. 6, 86159 Augsburg, https://www.cryptomagic.eu Tel: 0821 / 217 009-0 (Durchwahl: -11), Fax: 0821/217 009-99 Geschäftsführer: Markus Schräder Sitz der Gesellschaft: Augsburg; Registergericht: Amtsgericht Augsburg; Registernummer: HRB30402 USt-ID: DE305330428, St-Nr: 103/123/80744
Received on Thursday, 9 August 2018 19:16:04 UTC