W3C home > Mailing lists > Public > public-webauthn@w3.org > January 2019

Re: [webauthn] Attestation privacy advice creates large scale security risks (#1127)

From: Ackermann Yuriy via GitHub <sysbot+gh@w3.org>
Date: Fri, 11 Jan 2019 14:46:06 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-453539726-1547217963-sysbot+gh@w3.org>
@emlun I did not meant that user keys are compromised. I mean attestation keys are. If attestation key is compromised, that means that every authenticator that is on the market with that attestation key must be removed, so can't be used for future registrations.

> It is also in the authenticator manufacturer's interest to make the batches as small as possible - to limit financial and brand damage from product recalls, lawsuits, etc. - so I don't think it's particularly likely that a hardware vendor would willingly use the same attestation key for larger batches than necessary.

I think from our past experience,  we've seen that vendors do mistakes all the time. The big. The small. The experienced. The newbies.

Currently we have a policy of 100k devices per attestation key.

-- 
GitHub Notification of comment by herrjemand
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1127#issuecomment-453539726 using your GitHub account
Received on Friday, 11 January 2019 14:46:07 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:35 UTC