I agree that WebAuthN is not attestation. It uses attestation internally, but that doesn’t change it into an attestation service.
The use of hardware or not is orthogonal to the type of service (attestation, authentication…) being provided. My comment was about posture assessment. LL > On Sep 20, 2025, at 1:33 PM, Mike Ounsworth <[email protected]> wrote: > > Ugg. I regret my choice to send words to the RATS mailing list because now > I'm in a pointless debate about words. Ok. Here goes. > > Sure sure sure. WebAuthn CAN be used for things beyond what you could do with > a basic X.509 client cert. I am saying that (as I understand it) both > draft-acme-device-attest and draft-acme-client don't. As I understand it, > both of those drafts are simply plucking an ID out of the WebAuthn blob, and > then using that ID for whatever lookups they need. > > I am saying that's really "authentication with a hardware token" not "remote > attestation" in the full sense of the word. Certainly it's not offering any > of the more robust features that you might expect from something RATSy (like, > "Is the client device fully patched and running genuine firmware?" which is > what I meant by "posture assessment"). MCR correctly pointed out that both > draft-lamps-csr-attest and draft-acme-rats do allow for full-scope RATSyness. > > I am afraid that this thread will now explode into a philosophical debate > about whether "authentication with a hardware token" is a subset of "remote > attestation" or not. For that, I'm sorry because I don't actually care. > > > -Mike > > On Sat, Sep 20, 2025, 16:21 Laurence Lundblade <[email protected] > <mailto:[email protected]>> wrote: >> >>> On Sep 20, 2025, at 12:55 PM, Mike Ounsworth <[email protected] >>> <mailto:ounsworth%[email protected]>> wrote: >>> >>> neither of them is *really* doing anything RATSy, which would involve for >>> example taking a posture assessment of the device from which the request >>> originated. >> >> >> Not sure what precisely is meant by posture assessment, but I don’t think >> attestation/RATS requires measurements at all. A single evidence message >> that just identifies the device as made and secured by some OEM is enough. >> >> I’m a little out of date on FIDO/WebAuthN. Maybe nothing has changed. >> FIDO/WebAuthN does both device attestation and user authentication. It was >> the device attestation part of FIDO that got me started working on EAT. >> >> (FIDO needs device attestation because the user is no longer presenting >> their authentication credential to the server. Instead the user presents >> their credential (e.g. fingerprint) to the device and the device >> authenticates to the server. The server wants to know the device is a >> trusted intermediary. There’s no measurement of the device in FIDO >> attestation). >> >> LL >>
_______________________________________________ Acme mailing list -- [email protected] To unsubscribe send an email to [email protected]
