W3C home > Mailing lists > Public > public-webauthn@w3.org > September 2020

Re: [webauthn] Abstracting the concept of Privacy CA/Attestation CA into Anonymization CA (#1474)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Wed, 02 Sep 2020 16:31:06 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-685852365-1599064265-sysbot+gh@w3.org>
> you are generalizing the TCG's [Attestation CA](https://w3c.github.io/webauthn/#attestation-ca) into the [Anonymization CA notion](https://w3c.github.io/webauthn/#anonymization-ca). [...] and denote [Attestation CA] as a particular instance of an Anonymization CA.

I think the categories make more sense the other way around: that an "anonymization CA" is one subtype of the broader class "attestation CA". Any solution of this kind is one where some other CA (whether hosted in the cloud or on the client device) than the authenticator is used to perform attestation - that attestation _might_ anonymize the attestation, but in theory it could just as well generate a uniquely identifiable attestation. Or it might preserve much the same information as the authenticator's original attestation statement, but add additional information like, say, various certification levels.

So if the goal is to abstract or generalize the concept, then replacing the term "attestation CA" with "anonymization CA" seems counterproductive, because the latter is less general than the former.

GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/1474#issuecomment-685852365 using your GitHub account

Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 2 September 2020 16:31:07 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 2 September 2020 16:31:08 UTC