Re: WebAuthn and dealing with authenticator firmware updates from John Bradley on 2019-02-21 (public-webauthn@w3.org from February 2019)

From: John Bradley <jbradley@yubico.com>
Date: Thu, 21 Feb 2019 10:55:18 -0300
To: "Rolf Lindemann (rlindemann@noknok.com)" <rlindemann@noknok.com>
Cc: Shane B Weeden <sweeden@au1.ibm.com>, Ackermann Yuriy <ackermann.yuriy@gmail.com>, Akshay Kumar <Akshay.Kumar@microsoft.com>, W3C Web Authn WG <public-webauthn@w3.org>
Message-ID: <CAEY7Pj_jKFm0iSkOWnmOmc4ihnmQBtf73B+T1WN7RXxCJRGy8g@mail.gmail.com>
Rolf,

I agree that reporting a version number in get and create for CTAP2 may be
a reasonable idea.

However, currently I don't think the meta-data spec really allows more than
one authenticatorVersion per AAGUID and AAGUID is unique.

This is something that could be addressed in the meta-data WG for matadata 3

The other alternative is if we are going to allow multiple
attestation certificates per AAGUID is to key the version number and
additional meta-data to that.

In principle not changing the attestation cert is just to prevent
correlation,  if we add a version number that changes then there is no
point in keeping the same batch attestation cert when changing the exposed
version number.

Reporting the version number is fine as long as changing it or the
attestation cert are considered as part of the minimum 100K batch size.

Keying to the attestation cert could be done now in CTAP2 without any CTAP
spec change only a meta-data one.

John B.

On Thu, Feb 21, 2019 at 4:53 AM <rlindemann@noknok.com> wrote:

> In FIDO UAF, we have the concept of an Authentication Firmware Version
> that is attested by the Authenticator (i.e. part of the signed message).
>
> See “authenticatorVersion” in the Metadata Statement. It represents the
> earliest firmware version that matches the Metadata Statement.
>
>
>
> Kind regards,
>
>     Rolf
>
>
>
> *Von:* Shane B Weeden <sweeden@au1.ibm.com>
> *Gesendet:* Donnerstag, 21. Februar 2019 03:48
> *An:* Ackermann Yuriy <ackermann.yuriy@gmail.com>
> *Cc:* Akshay Kumar <Akshay.Kumar@microsoft.com>; public-webauthn@w3.org
> *Betreff:* Re: WebAuthn and dealing with authenticator firmware updates
>
>
>
> I understand that's a stated certification requirement. My personal
> observation is that it is also a non-enforceable FIDO "rule" that has a lot
> of gray areas. For example during certification there is no measurement or
> record of firmware version, nor is it part of the metadata spec, nor can an
> RP discover it via the protocol. Are there guidelines on what may actually
> be updated without re-certification?
>
> For example, let's say I have a UV capable portable authenticator that
> does fingerprint for UV, requiring it be registered by the owner before the
> FIDO registration ceremony. A flaw is discovered that allows you to bypass
> the local UV fingerprint matching software with ... let's say an artificial
> finger. The vendor offers updated firmware to counter this flaw. Nothing in
> core FIDO has changed - for all practical purposes the authenticator still
> behaves the same against all conformance testing interfaces the same way.
> This is still potentially very useful information to an RP.
>
> Perhaps a good corporate citizen authenticator vendor does a product
> recall, or offers a free/discounted new model (new AAGUID), however at the
> moment it's also perfectly valid for the authenticator vendor to offer a
> self-service firmware upgrade. The RP would never know.
>
>
> Perhaps this just comes down to vendor reputation, requiring RP's to
> decide by way of public opinion as to whether a particular vendor's
> technologies practices are reputable?
>
> An alternative would be to prohibit any alteration to software/firmware on
> the portable authenticator without rev'ing the AAGUID. This then increases
> the cost of certification. I am not proposing a solution at the moment -
> just illustrating the issue and soliciting ideas.
>
>
>
> From:        Ackermann Yuriy <ackermann.yuriy@gmail.com>
> To:        Shane B Weeden <sweeden@au1.ibm.com>
> Cc:        Akshay Kumar <Akshay.Kumar@microsoft.com>, "
> public-webauthn@w3.org" <public-webauthn@w3.org>
> Date:        21/02/2019 10:42 am
> Subject:        Re: WebAuthn and dealing with authenticator firmware
> updates
> ------------------------------
>
>
>
>
> FIDO certified authenticators are not allowed to change FIDO core without
> recertification, either through the delta or full. So attestation does not
> loose it value.
>
> If you really need highly secure authenticators, you can look towards
> FIPS140-2 certified ones
>
> On Wed, 20 Feb 2019 at 16:21, Shane B Weeden <sweeden@au1.ibm.com> wrote:
> The reality is different. Some vendors do upgrade. Some even allow you to
> do it yourself. Others do new manufacturing runs of the same model with
> different firmware versions although it is not clear what internal rules
> apply to what may be updated in a firmware version.
>
> The lack of consistency or ability to detect this makes it challenging for
> an RP to always believe in the value of attestation given that even some
> certified authenticator work this way.
>
> Sent from my iPhone
>
> On 21 Feb 2019, at 10:07 am, Akshay Kumar <Akshay.Kumar@microsoft.com>
> wrote:
>
> My assumption right now is external authenticators don’t upgrade.
> Upgrading the firmware needs to be thought through in terms of how securely
> one can upgrade. Also due to different form factors, mechanisms will be
> different. RP keeping a list of firmwares, which one is good and which one
> is not, is messy. And that list needs to be updated regularly by all the
> RPs. Which is another nightmare.
>
>
>
> *From:* Shane B Weeden <sweeden@au1.ibm.com>
> *Sent:* Wednesday, February 20, 2019 10:43 AM
> *To:* public-webauthn@w3.org
> *Subject:* WebAuthn and dealing with authenticator firmware updates
>
>
>
> Per posting at:
>
> https://groups.google.com/a/fidoalliance.org/forum/#!topic/fido-dev/vNs52dde7oY
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Ffidoalliance.org%2Fforum%2F%23!topic%2Ffido-dev%2FvNs52dde7oY&data=02%7C01%7CAkshay.Kumar%40microsoft.com%7C56552f6a07c046848a0f08d69765c29c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C1%7C636862860662164882&sdata=Iq1Z%2B8VLqJ%2FutGNkfERKmZwB8VayGuUlQ3pKVYn%2BN%2Fg%3D&reserved=0>
>
> I'm considering opening a WebAuthn issue for this topic to see if there is
> a POV amongst webauthn authors on dealing with authenticator firmware
> version updates. This note is simply to solicit any comments on the list
> before I do that.
>
> Thanks,
> Shane...
>
>
> --
> Yuriy Ackermann
> FIDO, Identity, Standards
> skype: ackermann.yuriy
> github: @herrjemand <https://github.com/herrjemand>
> twitter: @herrjemand <https://twitter.com/herrjemand>
> medium: @herrjemand <https://medium.com/@herrjemand>
>
>
Received on Thursday, 21 February 2019 13:55:52 UTC