Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add notion of "enterprise" attestation #1147

Closed
equalsJeffH opened this issue Jan 24, 2019 · 12 comments · Fixed by #1366
Closed

add notion of "enterprise" attestation #1147

equalsJeffH opened this issue Jan 24, 2019 · 12 comments · Fixed by #1366

Comments

@equalsJeffH
Copy link
Contributor

equalsJeffH commented Jan 24, 2019

We are proposing adding another PublicKeyCredentialCreationOptions parameter (for [[Create]]()) such that an RP can indicate it wishes the authenticator to provide "enterprise attestation" which allows an authenticator to send back special attestation data (might even be individual attestation) . This request will only be honored by the client platform if there exists some enterprise policy stating: "yes, it's okay for this RPID".

See also: fido-alliance/fido-2-specs#596

@emlun
Copy link
Member

emlun commented Jan 25, 2019

Can you describe a concrete use case for this that is currently not possible to implement?

@equalsJeffH
Copy link
Contributor Author

having an authenticator uniquely identify itself via attestation.

@emlun
Copy link
Member

emlun commented Jan 28, 2019

Yes, of course - what I meant to ask is what would be a concrete use case for that capability? In what circumstance would an RP need to know the identity of an authenticator before registering a credential with it (after which it can be identified by the credential ID)?

@nadalin
Copy link
Contributor

nadalin commented Feb 27, 2019

@agl Need more info on why we need to do this

@jcjones
Copy link
Contributor

jcjones commented Feb 27, 2019

I'm particularly interested in whether it would be OK if such a feature were gated on a group policy for "enterprise mode" -- Firefox, for example, gates enterprise PKI features on the pref security.enterprise_roots.enabled being set. So if we supported this, could we make it a thing that isn't generally for consumers but instead for enterprises?

@equalsJeffH
Copy link
Contributor Author

equalsJeffH commented Mar 1, 2019

on 27-Feb-2019, @christiaanbrand replied in email rather than here:

MS made a case for not doing that. The idea was:

  1. Token contains some blob which says "for which" RPs individual
    attestation might be required
  2. Upon registration, token sends blob to browser. Browser interprets it.
    Might show additional UI telling user what they're about to do.
  3. If browser is happy, it'll set the "ep" bit in CTAP.

Maybe we want that in conjunction with the "EP" flag in WebAuthn too.
Dunno. We have a use case where for the same RPID, sometime we want ep, and
sometimes we don't.

@nadalin
Copy link
Contributor

nadalin commented Mar 7, 2019

@leshi to come back with validation of this or other proposals

@equalsJeffH
Copy link
Contributor Author

@agl reports on call 20-mar-2019 that unique/individual attestation approach is preferred by enterprises rather than the pre-registration approach. Leave open as this is firmed up in CTAP2-land.

@nadalin nadalin modified the milestones: L2-WD-01, L2-WD-02 Apr 24, 2019
@dwaite
Copy link
Contributor

dwaite commented Apr 25, 2019

I'm a bit confused as to the purpose still. Is this meant to be a way for organizations to do some subset of:

  1. attest that an authenticator was supplied by them
  2. attest that an authenticator is co-located on a platform managed by them
  3. allow for an organization to associate additional attributes with authenticators supplied/managed by them
  4. retrieve a unique identity of an authenticator (aka serial #)
  5. short circuit the user user consent within zones configured by policy on the client platform
  6. represent the concept of an organization's zone (as sanctioned RPIDs) within a supplied/managed authenticator

@agl
Copy link
Contributor

agl commented Apr 27, 2019

I'm a bit confused as to the purpose still.

Roughly: batch attestation is too strong for consumer uses and too weak for enterprise cases.

Enterprises want:

  1. Stronger identity assurance than is provided by batch attestations.
  2. Individual asset tracking.

The individual attestation certificates, in U2F devices that support them, are based on the private key that's established in the trusted factory that makes the chips. When these chips are made it's not predetermined what device they'll end up in, and only a fraction are destined for security keys. But, by basing the individual attestation on that initial identity, the chain of trust can be rooted at manufacture time.

Preregistration of credentials has been suggested as a solution, but the location that puts FIDO firmware on the chip and packages it up into a security key may not be so trusted. Since preregistration is a FIDO concept, that means that the trust doesn't stretch as far.

Perhaps the preregistered credential could also be based on that initial identity? But then we lose flexibility: one can challenge the preregistered credential, but trust can never be extended to any other credentials as attestation can do. So we would depend on never needing extra credentials to be trusted (which fails once we start looking at including SSH), and that the RP ID for a customer never change (which is a large assumption).

Enterprises also want to bypass any permissions prompts for their internal registrations, but that's a user agent-specific concern.

@leshi
Copy link
Contributor

leshi commented May 29, 2019

This issue is pending "config management" PR in FIDO land

@nadalin nadalin added the stat:Blocked Prerequisites are not yet satisfied label Jun 12, 2019
@nadalin nadalin modified the milestones: L2-WD-02, L2-WD-03 Oct 30, 2019
@equalsJeffH equalsJeffH removed the stat:Blocked Prerequisites are not yet satisfied label Jan 22, 2020
@nadalin
Copy link
Contributor

nadalin commented Jan 22, 2020

@agl to create PR

agl added a commit to agl/webauthn that referenced this issue Jan 22, 2020
In controlled deployments, organisations may wish to tie specific
registrations back to individual authenticators. Obviously this has
privacy concerns and needs to be gated on local configuration, or
special configuration on the authenticator. However, as cloud services
are increasingly used, RP IDs are no longer neatly divided into
enterprise and consumer contexts, and the RP might _not_ wish to receive
the enterprise attestation when used in a consumer context.

This change adds a new level of attestation, “enterprise”, which allows
RPs to indicate when they would like to, possibly, receive an
attestation that may include uniquely identifying information. This
leaves “direct” with its current, less privacy-impacting meaning.

Fixes w3c#1147
equalsJeffH added a commit that referenced this issue Apr 29, 2020
* Add “enterprise” attestation type.

In controlled deployments, organisations may wish to tie specific
registrations back to individual authenticators. Obviously this has
privacy concerns and needs to be gated on local configuration, or
special configuration on the authenticator. However, as cloud services
are increasingly used, RP IDs are no longer neatly divided into
enterprise and consumer contexts, and the RP might _not_ wish to receive
the enterprise attestation when used in a consumer context.

This change adds a new level of attestation, “enterprise”, which allows
RPs to indicate when they would like to, possibly, receive an
attestation that may include uniquely identifying information. This
leaves “direct” with its current, less privacy-impacting meaning.

Fixes #1147

* Signal attestation at the correct time.

* Merging a suggested change from Jeff

Co-Authored-By: =JeffH <jdhodges@google.com>

* Merging a suggested change from Jeff

Co-Authored-By: =JeffH <jdhodges@google.com>

* modest fixups for enterprise attestation

* Convert  to DOMString

* Remove fallback to direct

* Apply jcjones' suggestion

Co-Authored-By: J.C. Jones <james.jc.jones@gmail.com>

Co-authored-by: =JeffH <jdhodges@google.com>
Co-authored-by: J.C. Jones <james.jc.jones@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment