Re: [webauthn] more fully delineate "privacy ca", "attestation ca", "anonymization ca" (#1422) from Arshad Noor on 2020-08-12 (public-webauthn@w3.org from August 2020)

From: Arshad Noor <arshad.noor@strongkey.com>
Date: Wed, 12 Aug 2020 12:33:06 -0700
To: Jiewen Tan via GitHub <sysbot+gh@w3.org>, public-webauthn@w3.org
Message-ID: <48fcc742-5d7c-7fa3-3863-cd5f7afe18c3@strongkey.com>

You realize that Direct Anonymous Attestation (DAA) is going away in the 
WebAuthn-2 spec?

https://www.w3.org/TR/webauthn-2/#sctn-defined-attestation-formats

Arshad Noor
StrongKey

On 8/12/20 11:49 AM, Jiewen Tan via GitHub wrote:
> I'm proposing a change to the AttCA to the following:
> 
> Anonymous CA
> In this case, the Authenticator works with a cloud-operated Anonymous CA 
> owned by its manufacturer to dynamically generate per-credential 
> attestation certificates on the CA such that no identification 
> information of the authenticator will be revealed to RPs in the 
> attestation statement.
> 
> The above is basing on the original description of Privacy CA and the 
> writing from 14.4.1. Attestation Privacy. It's trying to keep the 
> concept simple to only reflect the common facts. How the authenticator 
> is communicated with the CA is intentionally omitted given it is very 
> vendor specific. Comments are welcomed!
>

Received on Wednesday, 12 August 2020 19:33:23 UTC