Re: [webauthn] user-agent signal for enterprise attestation should be understandable for general users (#1521) from Arshad Noor on 2020-11-17 (public-webauthn@w3.org from November 2020)

From: Arshad Noor <arshad.noor@strongkey.com>
Date: Tue, 17 Nov 2020 05:05:03 -0800
To: public-webauthn@w3.org
Message-ID: <0ab96186-859c-d840-c9e7-756d98a92145@strongkey.com>

It is not so much a**/user/ is being identified as much as that the user 
_and_ the FIDO Authenticator are being identified as a pairing.  It is 
the overt attestation of the pairing that violates the FIDO principle of 
privacy.

In an enterprise environment, users are always going to be identified 
when they use any device - computer, mobile phone, application - that 
provides access to sensitive information and operations (thereby 
creating risk for  the enterprise). The FIDO Authenticator just happens 
to be one more new device that has this potential and will be targeted 
for tracking.

I do concur, however, that such FIDO Authenticators (and/or the User 
Agent) should signal to the user that the device is configured for 
/Enterprise Attestation/, and that there can be no expectation of 
privacy with the use of such an Authenticator. This signal will inform 
users that such Authenticators depart from the general FIDO privacy 
principle, and should _not_ be used outside the enterprise environment.

Arshad Noor
StrongKey

On 11/16/20 10:29 PM, Pranjal Jumde via GitHub wrote:
> jumde has just created a new issue for https://github.com/w3c/webauthn:
>
> == user-agent signal for enterprise attestation should be 
> understandable for general users ==
> From the spec:
>> enterprise
> This value indicates that the Relying Party wants to receive an 
> attestation statement that may include uniquely identifying 
> information. This is intended for controlled deployments within an 
> enterprise where the organization wishes to tie registrations to 
> specific authenticators. User agents MUST NOT provide such an 
> attestation unless the user agent or authenticator configuration 
> permits it for the requested RP ID.
> If permitted, the user agent SHOULD signal to the authenticator (at 
> invocation time) that enterprise attestation is requested, and convey 
> the resulting AAGUID and attestation statement, unaltered, to the 
> Relying Party.
>
> Most users in an enterprise setting will not understand what 
> `enterprise attestation` means. It would be helpful for users if the 
> user-agent/authenticator signals that `user identifying information` 
> is being requested.

Received on Tuesday, 17 November 2020 13:05:19 UTC