Re: [webauthn] Eliminate duplicate terminology (#1648)

> FIDO, on the other hand, authenticates the user _directly_. With a digital signature! When the FIDO server responds to the web-application with a "Yea" or a "Nay", it is not _asserting_ as a third-party that it authenticated the user - but is absolute in claiming (as a first party) that it authenticated the user (or not).

Web Authentication authenticates the user with an authentication-protocol-specific message from a piece of hardware which the Relying Party has to trust in order to use for authentication. The Relying party is insulated from knowing how the authenticator did that or what form the authentication took; it is insulated from knowing how private keys are protected and whether things like user verification or user presence detection were done properly. Trust decisions are based on the user opting to use the authentication, on attestations from the vendor that they implemented a certain set of policies or protections and/or by third-party audit. 

Similarly, trust in federated protocols has been based on user choice for OpenID 1/2, on peer negotiations for typical SAML deployments and by third parties in the case of something like InCommon.

That a relying party chose to implement processing logic via a FIDO-certified server does not change that the authentication is coming from outside its security domain, that it needs to make a trust decision in order to process the response. While assertion may not be the best term, I don't see it as an inaccurate one.

Digital Signature is inaccurate, because Web Authentication is not a general-purpose API like Web Crypto. WebAuthn is an API fronting a request/response protocol for authentication challenges, and which defines binary security messages of which a signature is only a component. A digital signature provides integrity, but does not itself provide any additional security properties necessary for authentication.

GitHub Notification of comment by dwaite
Please view or discuss this issue at using your GitHub account

Sent via github-notify-ml as configured in

Received on Tuesday, 20 July 2021 02:12:11 UTC