Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WebAPI: FIDO Authenticator model - clarifications needed #12

Closed
equalsJeffH opened this issue Mar 13, 2016 · 4 comments
Closed

WebAPI: FIDO Authenticator model - clarifications needed #12

equalsJeffH opened this issue Mar 13, 2016 · 4 comments
Assignees
@equalsJeffH
Labels
stat:Discuss subtype:impl-cons type:editorial
Milestone
Last Working Draft

Comments

@equalsJeffH
Copy link
Contributor

equalsJeffH commented Mar 13, 2016
edited
Loading

Originally submitted by: smachani1, on: Monday Oct 05, 2015 at 01:07 GMT

  1. webauthn Authenticator model
    You may want to explain and/or clarify in this section if :

a) More than 1 webauthn credentials on the same authenticator can be associated with a single account at the Relying party? e.g. a privileged shared account that is accessed from the same desktop station with an embedded webauthn authenticator. Each one of the users of the shared account may use their own Biometric gestures to unlock their own credential for identification.

b) One webauthn credential can be associated with more than one user accounts with the same Relying Party? If so we will have to revisit the registration flow. If not and a webauthn credential must be unique per-user account/identity per-RP then it needs to be stated.

c) A user could register more than one authenticator (a mix of embedded and external authenticator) with the same Relying party and associated with the same user account?

d) Cloned webauthn credentials are allowed? I assume not, but how would the RP ensure that the webauthn credential is bound to one authenticator?
@equalsJeffH equalsJeffH added this to the ms-fido-v2.0-w3c milestone Mar 13, 2016
@equalsJeffH equalsJeffH removed this from the ms-fido-v2.0-w3c milestone Mar 13, 2016
@nadalin nadalin added this to the SPWD milestone Mar 30, 2016
@equalsJeffH equalsJeffH self-assigned this Sep 20, 2016
@bifurcation bifurcation modified the milestones: WD-03, CR Sep 20, 2016
@equalsJeffH
Copy link
Contributor Author

@smachani1 wrote:

webauthn Authenticator model You may want to explain and/or clarify in this section if:
a) More than 1 webauthn credentials on the same authenticator can be associated with a single account at the Relying party? e.g. a privileged shared account that is accessed from the same desktop station with an embedded webauthn authenticator. Each one of the users of the shared account may use their own Biometric gestures to unlock their own credential for identification.

I think the combination of makeCredential()'s excludeList and getAssertion()'s allowList address this use case -- i.e., the RP would not use excludeList at registration time, thus allowing for the creation of multiple creds mapped to the same accountInformation.id value.

However, there apparently is no guarantee that multiple creds mapped to the same accountInformation.id would be presented at getAssertion() time, even if listed in the allowList -- see second subbullet under first bullet near beginning of {#makeCredential}.

b) One webauthn credential can be associated with more than one user accounts with the same Relying Party?

I believe the answer is "no", because the authenticatorMakeCredential operation generates a new credential by default and does not re-use any other credential data associated with the given RP ID hash that already exists on the authenticator.

If not and a webauthn credential must be unique per-user account/identity per-RP then it needs to be stated.

Hm, perhaps we can illustrate these cred-to-account mapping permutation possibilities in a table...

c) A user could register more than one authenticator (a mix of embedded and external authenticator) with the same Relying party and associated with the same user account?

Yes -- that is up to the RP to manage.

d) Cloned webauthn credentials are allowed? I assume not, but how would the RP ensure that the webauthn credential is bound to one authenticator?

detecting and handling cloned credentials (e.g., purloined credential private keys) is up to the RPs. sudden odd changes in the returned value of the signature counter may help with this. of course RPs can bring other client-recognizing techniques to bear, such as an absence or change in the cookies they have set on the client system.

conclusion: I think we can close this other than perhaps figuring out a way to depict the various cred-to-account mapping permutation possibilities.

@vijaybh
Copy link
Contributor

vijaybh commented Oct 18, 2016

Isn't (b) implied already by the various flows? For instance the processing step that was cited in #234 requires the RP to be able to look up an account/identity using a credential ID. There is no way to do this unambiguously if you allow a single credential ID to map to multiple accounts.

That said, I don't see why this is a requirement of the API. If an RP wants to do this and make their own life difficult, more power to them. Maybe they are going to use it as a way to provide redundancy between two equivalent accounts, I don't know. If we say nothing more on this topic, what would be the harm?

@equalsJeffH equalsJeffH modified the milestones: CR, WD-03 Oct 18, 2016
@equalsJeffH
Copy link
Contributor Author

@vijaybh wrote:

Isn't (b) implied already by the various flows? For instance the processing step that was cited in #234 requires the RP to be able to look up an account/identity using a credential ID. There is no way to do this unambiguously if you allow a single credential ID to map to multiple accounts.

sure, tho note that that processing step is just an example of how an RP might structure their use of the webauthn api.

That said, I don't see why this is a requirement of the API. If an RP wants to do this and make their own life difficult, more power to them. Maybe they are going to use it as a way to provide redundancy between two equivalent accounts, I don't know. If we say nothing more on this topic, what would be the harm?

I suspect what @smachani1 was originally soliciting is more "implementation guidance" wrt the various possibilities of cred-to-account mapping permutations.

I'll leave open, add to the set of "impl considerations" issues, and punt this to CR milestone for now.

vijaybh added a commit that referenced this issue Jan 10, 2017
@vijaybh
Many attestation and signature cleanups
b2ecda2 
Refactor the attestation section to clean up exposition. Separated out
signature verification (per format) from trust chaining (done at higher
layer).

Created a separate section for specifying key RP operations. Fixes #88.

RP registration section defines binding of credentials to user accounts.
Fixes #13.

RP registration section also defines options in case of registering the
same credential to different users. Fixes #12.

Cleans up and completes defining the process for verifying assertions,
which had already been largely done by @rlin1. Fixes #102.

Completes drawing the distinction between assertion and attestation
certificates. Fixes #118.

Replace "client platform" with "client" in signature format section to
avoid confusion. Fixes #209.
@equalsJeffH
Copy link
Contributor Author

this is relevant to "relying party deployment considerations" (nee implementation considerations)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@equalsJeffH equalsJeffH

Labels
stat:Discuss subtype:impl-cons type:editorial
Projects
None yet
Milestone
Last Working Draft
Development

No branches or pull requests
4 participants
@bifurcation @equalsJeffH @nadalin @vijaybh