-
Notifications
You must be signed in to change notification settings - Fork 180
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add notion of "enterprise" attestation #1147
Comments
Can you describe a concrete use case for this that is currently not possible to implement? |
having an authenticator uniquely identify itself via attestation. |
Yes, of course - what I meant to ask is what would be a concrete use case for that capability? In what circumstance would an RP need to know the identity of an authenticator before registering a credential with it (after which it can be identified by the credential ID)? |
@agl Need more info on why we need to do this |
I'm particularly interested in whether it would be OK if such a feature were gated on a group policy for "enterprise mode" -- Firefox, for example, gates enterprise PKI features on the pref |
on 27-Feb-2019, @christiaanbrand replied in email rather than here: MS made a case for not doing that. The idea was:
Maybe we want that in conjunction with the "EP" flag in WebAuthn too. |
@leshi to come back with validation of this or other proposals |
@agl reports on call 20-mar-2019 that unique/individual attestation approach is preferred by enterprises rather than the pre-registration approach. Leave open as this is firmed up in CTAP2-land. |
I'm a bit confused as to the purpose still. Is this meant to be a way for organizations to do some subset of:
|
Roughly: batch attestation is too strong for consumer uses and too weak for enterprise cases. Enterprises want:
The individual attestation certificates, in U2F devices that support them, are based on the private key that's established in the trusted factory that makes the chips. When these chips are made it's not predetermined what device they'll end up in, and only a fraction are destined for security keys. But, by basing the individual attestation on that initial identity, the chain of trust can be rooted at manufacture time. Preregistration of credentials has been suggested as a solution, but the location that puts FIDO firmware on the chip and packages it up into a security key may not be so trusted. Since preregistration is a FIDO concept, that means that the trust doesn't stretch as far. Perhaps the preregistered credential could also be based on that initial identity? But then we lose flexibility: one can challenge the preregistered credential, but trust can never be extended to any other credentials as attestation can do. So we would depend on never needing extra credentials to be trusted (which fails once we start looking at including SSH), and that the RP ID for a customer never change (which is a large assumption). Enterprises also want to bypass any permissions prompts for their internal registrations, but that's a user agent-specific concern. |
This issue is pending "config management" PR in FIDO land |
@agl to create PR |
In controlled deployments, organisations may wish to tie specific registrations back to individual authenticators. Obviously this has privacy concerns and needs to be gated on local configuration, or special configuration on the authenticator. However, as cloud services are increasingly used, RP IDs are no longer neatly divided into enterprise and consumer contexts, and the RP might _not_ wish to receive the enterprise attestation when used in a consumer context. This change adds a new level of attestation, “enterprise”, which allows RPs to indicate when they would like to, possibly, receive an attestation that may include uniquely identifying information. This leaves “direct” with its current, less privacy-impacting meaning. Fixes w3c#1147
* Add “enterprise” attestation type. In controlled deployments, organisations may wish to tie specific registrations back to individual authenticators. Obviously this has privacy concerns and needs to be gated on local configuration, or special configuration on the authenticator. However, as cloud services are increasingly used, RP IDs are no longer neatly divided into enterprise and consumer contexts, and the RP might _not_ wish to receive the enterprise attestation when used in a consumer context. This change adds a new level of attestation, “enterprise”, which allows RPs to indicate when they would like to, possibly, receive an attestation that may include uniquely identifying information. This leaves “direct” with its current, less privacy-impacting meaning. Fixes #1147 * Signal attestation at the correct time. * Merging a suggested change from Jeff Co-Authored-By: =JeffH <jdhodges@google.com> * Merging a suggested change from Jeff Co-Authored-By: =JeffH <jdhodges@google.com> * modest fixups for enterprise attestation * Convert to DOMString * Remove fallback to direct * Apply jcjones' suggestion Co-Authored-By: J.C. Jones <james.jc.jones@gmail.com> Co-authored-by: =JeffH <jdhodges@google.com> Co-authored-by: J.C. Jones <james.jc.jones@gmail.com>
We are proposing adding another
PublicKeyCredentialCreationOptions
parameter (for[[Create]]()
) such that an RP can indicate it wishes the authenticator to provide "enterprise attestation" which allows an authenticator to send back special attestation data (might even be individual attestation) . This request will only be honored by the client platform if there exists some enterprise policy stating: "yes, it's okay for this RPID".See also: fido-alliance/fido-2-specs#596
The text was updated successfully, but these errors were encountered: