Re: FacetID equivalent for WebAuthn?

Jeff and I discussed this yesterday.   We will probably catch up with AGL
today.

At some point in the future DNS may sort the more general administrative
boundary issue for browsers.

look at https://datatracker.ietf.org/doc/draft-brotman-rdbd/

In the short term, we probably need to do a more specific WebAuthn
deligation mechanism.

John B

On Fri, Jul 19, 2019 at 1:45 PM Marius Scurtescu <
marius.scurtescu@coinbase.com> wrote:

> The iframe solution might be good enough, but that opens other issues I am
> sure.
>
> A CTAP2 only solution is also problematic, because of all the CTAP keys
> out there.
>
> Have fun next week at IETF and thanks for the details.
>
>
> On Thu, Jul 18, 2019 at 6:42 PM John Bradley <jbradley@yubico.com> wrote:
>
>> There was an effort to simplify the spec.   FacitID was a victim of
>> that.  Dirk can fill in the details.
>>
>> The payments people are wanting the iframe solution, for 3dsecure and
>> open banking.
>>
>> I think we do need a way to delegate domain A to act as a proxy for
>> domain B.
>>
>> I would prefer to do it in a more granular way than was done in FacitID.
>>
>> Some of us kicked some ideas around at the last Fido plenery.  I think it
>> could be done in WebAuthn with existing CTAP2 authenticators.
>>
>> John B.
>>
>> On Thu, Jul 18, 2019, 7:50 PM Marius Scurtescu <
>> marius.scurtescu@coinbase.com> wrote:
>>
>>> Thanks again Adam.
>>>
>>> Is this the iframe spec you are referring to:
>>> https://www.w3.org/TR/webauthn-2/#sctn-iframe-guidance
>>>
>>> The situation looks pretty bleak from where I stand. I am surprised that
>>> this is not coming up as an issue. Was there a concrete reason to stop
>>> supporting FacetID? Lack of interest?
>>>
>>>
>>> On Thu, Jul 18, 2019 at 3:59 PM Adam Langley <agl@google.com> wrote:
>>>
>>>> On Thu, Jul 18, 2019 at 3:08 PM Marius Scurtescu <
>>>> marius.scurtescu@coinbase.com> wrote:
>>>>
>>>>> How is a multi-domain deployment supposed to work with WebAuthn? And
>>>>> by multi-domain I mean domains that don't match: example1.com and
>>>>> example2.com.
>>>>>
>>>>> One solution that was suggested is to always redirect to the IdP, so
>>>>> there is not need for multiple domains. That might work for login, but when
>>>>> WebAuthn is used as a re-authentication challenge then a full page redirect
>>>>> becomes very difficult to implement, especially for an existing application.
>>>>>
>>>>
>>>> WebAuthn credentials are tied to an RP ID, which is a domain name.
>>>> There is not support for “groups” of domains being acceptable for a
>>>> credential.
>>>>
>>>> Redirecting (with suitable care) is possible, somewhat similar to
>>>> OAuth. There is also (currently) unimplemented spec for granting iframes
>>>> WebAuthn abilities, in which case postMessage can be used. Implementation
>>>> priorities are set by need and, currently, nobody is making a fuss about
>>>> the lack of iframe support so it's not on the roadmap.
>>>>
>>>>
>>>> Cheers
>>>>
>>>> AGL
>>>>
>>>

Received on Tuesday, 23 July 2019 15:07:35 UTC