RE: RFC 8252 is a complete joke

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Mike,

 

From: ietf <ietf-bounces@xxxxxxxx> On Behalf Of Michael Thomas
Sent: 05 July 2023 02:10
To: ietf@xxxxxxxx
Subject: Re: RFC 8252 is a complete joke

 

 

On 7/4/23 5:47 PM, Keith Moore wrote:

On 7/4/23 20:12, Michael Thomas wrote:

As far as can tell there's a glaring hole in current IETF authentication protocols in that we don't have general purpose protocol support (not something that requires or expects a web browser) for (a) multi-factor authentication and (b) hardware keys.

I think one of the biggest weaknesses of webauthn is that it has made hardware keys the enemy of software keys. For a huge swath of authentication needs, software private keys would be completely sufficient. I don't want to require a hardware frob to log into facebook or some other lame site. I don't want my laptop being obsoleted because it doesn't have a camera or finger print detector. The introduction of hardware with the FIDO stuff in webauthn makes it ridiculously more complicated and for no appreciable gain in security for the average case. I'm fine with hardware for my bank accounts whose companies can afford to figure this out, but the goal should be to make public key authentication drop dead simple for the rest and webauthn is definitely not that.

I guess I think that the authentication standards should be agnostic about what kind of authentication is used, that should be up to the service requiring authentication to decide.   But every protocol should have at least one robust authentication method available that can be implemented purely in software and without using anything proprietary.  (If a service wants to require some sort of proprietary frob to authenticate to that service, I guess that's up to them, but the standards should facilitate secure authentication between any two cooperating parties.)

 

As far as I can tell, it doesn't seem that webauthn specifically excludes non-hardware credentials, but the last time I checked browser support is either non-existent or extremely obscure (Firefox requires an about:flags or whatever toggle, Chrome doesn't support it at all).  Suffice it to say, I gave up trying to get it to work even though I was intimately familiar with what they were trying to achieve. This doesn't need to be difficult and frankly reeks of hardware dongle vendors self-interest to make this impossible otherwise. That was extremely disappointing.

I have thought about bringing my webcrypto-only login/enrollment to IETF for standardization but I'm not sure what the venue might be. It doesn't require webcrypto per se -- webcrypto is just a shim of normal crypto available to anything that has crypto library access, after all. So it would work for anything -- native apps, headless apps, etc. But it seems to be pushing on string for anybody to care. Vested Interests for $2000, Alex. It's the curse of public key cryptography in general.

SECDISPATCH would seem like a reasonable starting place, or maybe SAAG if you wanted to present more generally on the perceived problem space.  If you already know that this is a bigger problem that you are trying to solve then perhaps side meetings to try gather some interest then a BOF.

Regards,
Rob

 

Mike

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux