Re: [webauthn] Requesting properties of created credentials. (#1449)

>In conversations with some government RP around national ID programs, there seems to be a requirement that (A) keys not be exportable or shared.

By shared I was referring to what we currently have as the restricted property.  

The key if stored in a secure element or secure exciting environment it needs to only be available to the authenticator application.   

In some architectures any application can ask for a key to be used for signing if the user is authenticated. 

The eIDAS regulation is quite clear on this requirement for level high.  

CZ.nic who run a Czech eIDAS service that supports Fido2 authenticators has been through this with there auditors for certification. 

I have had similar conversations with other eIDAS providers in other countries. 

The way they deal with it now is by doing the makeCredential with attestation and comparing that to a white list and rejecting or allowing non conforming authenticators to only work for lower levels.  

The idea would be to provide a hint to the platform with the makeCredential so that the platform could help the user, and perhaps reduce the number of round trips the user needs to do if they have multiple authenticator options. 

If in the fedramp case any non FIPS certified authenticators are going to have there attestations rejected the user could be warned if they select an authenticator that doesn't meet the requirements without having to round trip the transaction.  

The fedramp use case may be specific to an Enterprise.  

The eIDAS one is a grey area between consumer and Government. 

I don't know if any of the current platform authenticators would qualify for eIDAS high now, or if proposed changes with syncing keys between devices would have an impact.

That is something we would need to take up with EU regulators.  

John B. 


-- 
GitHub Notification of comment by ve7jtb
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1449#issuecomment-873320128 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Saturday, 3 July 2021 01:03:40 UTC