W3C home > Mailing lists > Public > public-webauthn@w3.org > September 2020

Re: [webauthn] Abstracting the concept of Privacy CA/Attestation CA into Anonymization CA (#1474)

From: Jiewen Tan via GitHub <sysbot+gh@w3.org>
Date: Wed, 02 Sep 2020 18:55:18 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-685932727-1599072916-sysbot+gh@w3.org>
> > you are generalizing the TCG's [Attestation CA](https://w3c.github.io/webauthn/#attestation-ca) into the [Anonymization CA notion](https://w3c.github.io/webauthn/#anonymization-ca). [...] and denote [Attestation CA] as a particular instance of an Anonymization CA.
> 
> I think the categories make more sense the other way around: that an "anonymization CA" is one subtype of the broader class "attestation CA". Any solution of this kind is one where some other CA (whether hosted in the cloud or on the client device) than the authenticator is used to perform attestation - that attestation _might_ anonymize the attestation, but in theory it could just as well generate a uniquely identifiable attestation. Or it might preserve much the same information as the authenticator's original attestation statement, but add additional information like, say, various certification levels.
> 
> So if the goal is to abstract or generalize the concept, then replacing the term "attestation CA" with "anonymization CA" seems counterproductive, because the latter is less general than the former.

Sounds like TCG's attestation CA is on device? Weird, it sounds like the intermediate CA's certificate is the tracking vector.

-- 
GitHub Notification of comment by alanwaketan
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/1474#issuecomment-685932727 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 2 September 2020 18:55:19 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 2 September 2020 18:55:20 UTC