[webauthn] Requestin properties of created credentials. (#1449)

ve7jtb has just created a new issue for https://github.com/w3c/webauthn:

== Requestin properties of created credentials. ==
In conversations with some government RP around national ID programs, there seems to be a requirement that keys not be exportable or shared.

That may or not be the case with Fido L1 and L2 authenticators depending on a number of factors.

In some cases, the RP may also want to guide the user to an authenticator with a particular certification.
As an example, a US Fedramp high application may need a FIPS-140-L2 certified authenticator.
Now the RP needs to call makeCredential and ask for an attestation, they then reject any that don't meet the requirements set in meta-data.

In the first use case, an authenticator might be able to store both restricted and unrestricted credentials if it could get the RP's requirements.

I am proposing a new extension that would pass policy requirements to the authenticator and platform.  

In the case of the RP wanting a restricted credential, the extension would have a map with { "keyProtection" : 2 , "isKeyRestricted" : True } to indicate it wants HW protected keys that aren't shared with other applications.

One concern is that at some point platform authenticators will start backing up keys.  If we don't have a way to flag a key as restricted then eID systems may not allow platform authenticators causing regrettable fragmentation.  

We will need to discuss what sorts of policies are appropriate.   The extension containing a map is the simple part.



Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1449 using your GitHub account

Received on Wednesday, 1 July 2020 17:51:43 UTC