Ugg. I regret my choice to send words to the RATS mailing list because now I'm in a pointless debate about words. Ok. Here goes.
Sure sure sure. WebAuthn CAN be used for things beyond what you could do with a basic X.509 client cert. I am saying that (as I understand it) both draft-acme-device-attest and draft-acme-client don't. As I understand it, both of those drafts are simply plucking an ID out of the WebAuthn blob, and then using that ID for whatever lookups they need. I am saying that's really "authentication with a hardware token" not "remote attestation" in the full sense of the word. Certainly it's not offering any of the more robust features that you might expect from something RATSy (like, "Is the client device fully patched and running genuine firmware?" which is what I meant by "posture assessment"). MCR correctly pointed out that both draft-lamps-csr-attest and draft-acme-rats do allow for full-scope RATSyness. I am afraid that this thread will now explode into a philosophical debate about whether "authentication with a hardware token" is a subset of "remote attestation" or not. For that, I'm sorry because I don't actually care. -Mike On Sat, Sep 20, 2025, 16:21 Laurence Lundblade <[email protected]> wrote: > > On Sep 20, 2025, at 12:55 PM, Mike Ounsworth <[email protected]> > wrote: > > neither of them is *really* doing anything RATSy, which would involve > for example taking a posture assessment of the device from which the > request originated. > > > Not sure what precisely is meant by posture assessment, but I don’t think > attestation/RATS requires measurements at all. A single evidence message > that just identifies the device as made and secured by some OEM is enough. > > I’m a little out of date on FIDO/WebAuthN. Maybe nothing has changed. > FIDO/WebAuthN does both device attestation and user authentication. It was > the device attestation part of FIDO that got me started working on EAT. > > (FIDO needs device attestation because the user is no longer presenting > their authentication credential to the server. Instead the user presents > their credential (e.g. fingerprint) to the device and the device > authenticates to the server. The server wants to know the device is a > trusted intermediary. There’s no measurement of the device in FIDO > attestation). > > LL > >
_______________________________________________ Acme mailing list -- [email protected] To unsubscribe send an email to [email protected]
