RE: WebAuthn and dealing with authenticator firmware updates from Akshay Kumar on 2019-02-21 (public-webauthn@w3.org from February 2019)

From: Akshay Kumar <Akshay.Kumar@microsoft.com>
Date: Thu, 21 Feb 2019 00:07:53 +0000
To: Shane B Weeden <sweeden@au1.ibm.com>, "public-webauthn@w3.org" <public-webauthn@w3.org>
Message-ID: <MW2PR2101MB08895E138ED1E48259888249867E0@MW2PR2101MB0889.namprd21.prod.outlook.>

My assumption right now is external authenticators don't upgrade. Upgrading the firmware needs to be thought through in terms of how securely one can upgrade. Also due to different form factors, mechanisms will be different. RP keeping a list of firmwares, which one is good and which one is not, is messy. And that list needs to be updated regularly by all the RPs. Which is another nightmare.

From: Shane B Weeden <sweeden@au1.ibm.com>
Sent: Wednesday, February 20, 2019 10:43 AM
To: public-webauthn@w3.org
Subject: WebAuthn and dealing with authenticator firmware updates

Per posting at:
https://groups.google.com/a/fidoalliance.org/forum/#!topic/fido-dev/vNs52dde7oY<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Ffidoalliance.org%2Fforum%2F%23!topic%2Ffido-dev%2FvNs52dde7oY&data=02%7C01%7CAkshay.Kumar%40microsoft.com%7C56552f6a07c046848a0f08d69765c29c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C1%7C636862860662164882&sdata=Iq1Z%2B8VLqJ%2FutGNkfERKmZwB8VayGuUlQ3pKVYn%2BN%2Fg%3D&reserved=0>

I'm considering opening a WebAuthn issue for this topic to see if there is a POV amongst webauthn authors on dealing with authenticator firmware version updates. This note is simply to solicit any comments on the list before I do that.

Thanks,
Shane..

Received on Thursday, 21 February 2019 00:08:18 UTC