Re: [webauthn] Enterprise Attestation Conveyance Preference (#1652) from Arshad Noor via GitHub on 2021-07-29 (public-webauthn@w3.org from July 2021)

From: Arshad Noor via GitHub <sysbot+gh@w3.org>
Date: Thu, 29 Jul 2021 17:02:48 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-889312134-1627578166-sysbot+gh@w3.org>

Thanks for that, Adam; I suspected that but needed clarification from the people who're defining the API.

I wish FIDO Alliance or the W3C had established - or at least, strongly recommended - a standard for the certificate profile of the Attestation certificate for _enterprise_ attestations. Having built many bespoke PKIs in my career, I don't look forward to having to deal with custom certificate profiles with custom OIDs for attestations in different organizations. Our efforts to standardize a FIDO Server are designed to make FIDO deployments as simple and easy as possible; but when the spec is sufficiently vague to allow RPs to do what they want on the back-end, it just makes our job more difficult to make a standard solution that includes bespoke attestation certificates that might have to search for specific OIDs, attributes, etc.

What are the chances of using a unique OID chained to a private FIDO Alliance registered OID, years ago ([1.3.6.1.4.1.45724](https://www.iana.org/assignments/enterprise-numbers/enterprise-numbers)) and making that a standard for _enterprise_ attestations? RPs can put what they want in the usual DN attributes, but if they want a custom _enterprise_ OID (as I sense some very large RPs will), they can put the child of the standard FIDO Alliance OID in their attestation certificate, and FIDO Servers can just search for specific DNs with this specific OIDs within specific truststores (or AIA extension URLs) to validate the chain? This would allow for some flexibility for RPs using _enterprise_ attestations while enabling standardized FIDO Servers to serve many RPs?

I'm happy to create such a certificate profile as an example as long as some of the RPs that wanted this _enterprise_ attestation confirm they're willing to use such a standard OID. If they insist on using something of their own, then they're simply making the total cost of ownership (TCO) of their FIDO deployment high by complicating life for the OAM (Operations, Administration & Maintenance) folks responsible for this infrastructure.

-- 
GitHub Notification of comment by arshadnoor
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1652#issuecomment-889312134 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Thursday, 29 July 2021 17:02:49 UTC