W3C home > Mailing lists > Public > public-webauthn@w3.org > January 2019

[webauthn] Attestation privacy advice creates large scale security risks (#1127)

From: Ackermann Yuriy via GitHub <sysbot+gh@w3.org>
Date: Fri, 11 Jan 2019 07:53:51 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-398170875-1547193230-sysbot+gh@w3.org>
herrjemand has just created a new issue for https://github.com/w3c/webauthn:

== Attestation privacy advice creates large scale security risks ==
> A WebAuthn authenticator manufacturer may choose to ship all of their authenticators with the same (or a fixed number of) attestation key(s) (called Basic Attestation). This will anonymize the user at the risk of not being able to revoke a particular attestation key if its private key is compromised.

I understand that from privacy perspective, this is a really good advice. However it is really bad security approach. Imagine manufacturer that releases ten million devices. One's device attestation key is compromised, so entire ten million devices must be marked as revoked. This is why it's called "batch" and not "manufacturer", because certificate and keypair are generated per "batch" of keys, so quantifiably limited. Right now our policy is 1 attestation keypair per 100k. That is deemed sufficient to mitigate privacy risks, while enabling effective security scaling of the attestation.

> [UAFProtocol] requires that at least 100,000 authenticator devices share the same attestation certificate in order to produce sufficiently large groups. This may serve as guidance about suitable batch sizes.

This is FIDO's policy regarding of the protocol. U2F/FIDO2/UAF are all have the same mandatory requirements.

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1127 using your GitHub account
Received on Friday, 11 January 2019 07:53:53 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:35 UTC