New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make packed attestation format Privacy CA-friendly #584
Comments
In case of using Privacy-CA model, the authenticator has Endorsement key (EK) which is long-term key like attestation key in Basic Attestation model. |
There might not be an enrollment process between the authenticator and the Privacy-CA. There is not, for example, in current U2F tokens. As an alternative to Dirk's scheme, the RP ID should be replaced in the signed message with H(blind + RP ID). The Privacy-CA would still see the structure of the message that it was signing, but the blind would only be disclosed to the RP by the client. |
In WebAuthn spec, there are supported attestation types including Privacy-CA. |
@christiaanbrand we agreed that we will keep this open, but you will create a new issue that describes making a new packed attestation format so this becomes a non breaking change |
To Adams comment, I am more comfortable with just blinding the "CA" to the RP ID rather than removing the audience totally. If the RP ID can be hashed with a nonce before going to the fido client then CTAP would not necessarily need a new attestation format. The proxy would need a new attestation type so that the client would know how to verify the blinded RP_ID but other than that the packed format could stay the same. |
In this blinding scheme, what gets passed to authenticator at authenticatorGetAssertion time? If it is not the same as of authenticatorMakeCredential time, how will authenticator finds out the credential?? If it is same, who remembers that nonce on different platforms? |
Good point. That method of blinding won't work. That leaves us with needing to change the attestation from the Authenticator to support this. What are the security implications of leaving a audiance out of the attestation. Is there anything else that is currently passed to the Authenticator that could also be used as an audiance? The format returned needs to work both directly and with a privacy CA or whatever it is called or it will require opening up CTAP just when we thought that we were done. |
I agree and we want all the current security assurances from the new scheme also (like able to tie together RPID with the credential in the signature.) We need to see @leshi / @balfanz / @christiaanbrand proposal quickly on this. If I understand it correctly, @balfanz is saying something like this Current Attestation Format: Proposed Attestation Format: In case of privacy CA, "Attestation Key" is replaced with "Privacy CA Key" |
Dirk's proposal seems like delegation of generating attestation signature from the authenticator to the Privacy CA (actually it's not in the context of TPM and WebAuthn). This is sometimes called proxy signature scheme. Usually, this approach is used in the applications like grid computing and mobile computing which the client has a limited resources to sign the message. It's not for the privacy of the original signer (authenticator and user). |
Closing with no action per decision at 11-Oct-17 working group meeting. |
Currently, the packed attestation format requires that the attestation key sign over - among other things - the RP ID hash and client data hash.
If/when we move to a Privacy CA model - in which the attestation signature generated by the authenticator is replaced by the attestation signature generated by the Privacy CA - it is desirable that the Privacy CA not learn the identity of the Relying Party that the user is signing into. But that identity is easily recoverable from the RP ID hash and - possibly (although unlikely) - from the client data hash.
Therefore, the packed attestation format should be changed to require that the attestation key sign over the newly-generated credential public key, and the newly-generated credential private key sign over the RP ID hash and client data hash.
The text was updated successfully, but these errors were encountered: