Re: [Rats] draft-richardson-rats-usecases-00 comments

[Laurence Lundblade <lgl@island-resort.com>]

The way I’d approach the FIDO use case is to say that the relying party wants to to have the HW/SW implementation that did the biometric check strongly identified (attested). This is to make sure that the end user is not using some short cut or hacked, or insecure implementation that is not checking the biometric properly. 

FIDO allows a bunch of attestation formats now because there is no broadly common attestation format, something I hope we will remedy. It will take some years of course…

I don’t know that it is necessary to dig into all the different formats that FIDO allows.

Agree with Tony that solving the privacy issue in a broad standard way will be really helpful for lots of use cases (also some use cases don’t have a privacy issue).

LL

> On Mar 12, 2019, at 8:27 PM, Michael Richardson <mcr+ietf@sandelman.ca> wrote:
> 
> 
> Anthony Nadalin <tonynad=40microsoft.com@dmarc.ietf.org> wrote:
>> The section on FIDO usecase (5.3) is out of date, as in FIDO/W3C there are
>> many attestation formats that are acceptable from devices, the major concern
>> that we have is the privacy issues as most all the attestation formats lead
>> to potential collusion in one form or the other. The JS API is now the W3C
>> WebAuthentication API that is a recommendation now, this is no longer in
>> FIDO. I would be happy to send edits to this section.
> 
> That would be wonderful, THANK YOU!
> It's a -00 afterall, and the goal is to tease out what might be
> old/nonsensical/etc. so that we can get to the bottom of things :-)
> 
> (I thought I did say that it all became the WebAuthentication API...)
> 
> --
> Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
> -= IPv6 IoT consulting =-
> 
> 
> 
> _______________________________________________
> RATS mailing list
> RATS@ietf.org
> https://www.ietf.org/mailman/listinfo/rats