[webauthn] Requirements for security of MDC, DPK and attestation (#1808) from Keiko Itakura via GitHub on 2022-09-23 (public-webauthn@w3.org from September 2022)

From: Keiko Itakura via GitHub <sysbot+gh@w3.org>
Date: Fri, 23 Sep 2022 04:58:57 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-1383299417-1663909135-sysbot+gh@w3.org>

keikoit has just created a new issue for https://github.com/w3c/webauthn:

== Requirements for security of MDC, DPK and attestation ==
We (some RPs in Japan) think, for high assurance services, the minimum requirements are either

1. (MDC with no attestation) + (DPK with attestation), or
2. (MDC with attestation) + (DPK with no attestation required)

To achieve what RPs need to know about detecting an access from a new device, attestation can be hardware-protected provenance type or integrity-check type provided by platform.
Integrity-check type attestation, e.g.,SafetyNet, Apple attestation, can be userd with DPK by RPs to securely identify an MDC access from a new device IF the platform protects private keys securely.

Reference:
https://docs.google.com/presentation/d/1wy5y0pvdQATmZOfPvljTRtljtiRJmiM_hGTbdYeH5Lo/edit?usp=sharing

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1808 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Friday, 23 September 2022 04:58:59 UTC