W3C home > Mailing lists > Public > public-webauthn@w3.org > February 2019

Re: [webauthn] add notion of "enterprise" attestation (#1147)

From: Christiaan Brand <cbrand@google.com>
Date: Wed, 27 Feb 2019 10:41:01 -0800
Message-ID: <CAE1XR1mgA5HbiBuaqOMgs+KbFEynepAUVDN4WmuTirYysfYC+Q@mail.gmail.com>
To: "J.C. Jones via GitHub" <sysbot+gh@w3.org>
Cc: W3C Web Authn WG <public-webauthn@w3.org>
MS made a case for not doing that. The idea was:

1. Token contains some blob which says "for which" RPs individual
attestation might be required
2. Upon registration, token sends blob to browser. Browser interprets it.
Might show additional UI telling user what they're about to do.
3. If browser is happy, it'll set the "ep" bit in CTAP.

Maybe we want that in conjunction with the "EP" flag in WebAuthn too.
Dunno. We have a use case where for the same RPID, sometime we want ep, and
sometimes we don't.

On Wed, Feb 27, 2019 at 10:31 AM J.C. Jones via GitHub <sysbot+gh@w3.org>
wrote:

> I'm particularly interested in whether it would be OK if such a feature
> were gated on a group policy for "enterprise mode" -- Firefox, for example,
> gates enterprise PKI features on the pref
> `security.enterprise_roots.enabled` being set. So if we supported this,
> could we make it a thing that isn't generally for consumers but instead for
> enterprises?
>
> --
> GitHub Notification of comment by jcjones
> Please view or discuss this issue at
> https://github.com/w3c/webauthn/issues/1147#issuecomment-467977143 using
> your GitHub account
>
>
Received on Wednesday, 27 February 2019 18:41:37 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:59:02 UTC