[webauthn] Requestin properties of created credentials. (#1449) from John Bradley via GitHub on 2020-07-01 (public-webauthn@w3.org from July 2020)

From: John Bradley via GitHub <sysbot+gh@w3.org>
Date: Wed, 01 Jul 2020 17:51:42 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-649164553-1593625901-sysbot+gh@w3.org>

ve7jtb has just created a new issue for https://github.com/w3c/webauthn:

== Requestin properties of created credentials. ==
In conversations with some government RP around national ID programs, there seems to be a requirement that keys not be exportable or shared.

That may or not be the case with Fido L1 and L2 authenticators depending on a number of factors.

In some cases, the RP may also want to guide the user to an authenticator with a particular certification.
As an example, a US Fedramp high application may need a FIPS-140-L2 certified authenticator.
Now the RP needs to call makeCredential and ask for an attestation, they then reject any that don't meet the requirements set in meta-data.

In the first use case, an authenticator might be able to store both restricted and unrestricted credentials if it could get the RP's requirements.

I am proposing a new extension that would pass policy requirements to the authenticator and platform.

In the case of the RP wanting a restricted credential, the extension would have a map with { "keyProtection" : 2 , "isKeyRestricted" : True } to indicate it wants HW protected keys that aren't shared with other applications.

One concern is that at some point platform authenticators will start backing up keys. If we don't have a way to flag a key as restricted then eID systems may not allow platform authenticators causing regrettable fragmentation.

We will need to discuss what sorts of policies are appropriate. The extension containing a map is the simple part.

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1449 using your GitHub account

Received on Wednesday, 1 July 2020 17:51:43 UTC