13C/ FIDO / WebAuth for Verifiable Credentials

From IIW

FIDO / WebAuth for Verifiable Credentials

Session Convener: Torsten Lodderstedt, Paul Bastian

Notes-taker(s): Mike Jones, (someone else)

Tags / links to resources / technology discussed, related to this session:

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

Diagram of 1st approach (makeCredential/getAssertion) https://www.youtube.com/watch?v=dQw4w9WgXcQ

  • Group went through the proposal step by step
  • Identified a couple of pitfalls
    • Signed response from FIDO authenticator contains more data than just the pure signature of the challenge (e.g. client id of the Wallet with the authenticator)
    • Does not directly fit with existing proof methods for verifiable credentials

We dove deep into what FIDO attestations actually do and surprising things that they do not do and what it would take to use them with a wallet as the FIDO RP.

The surprising thing is that there's no proof of possession of the credential private key in the WebAuthn/FIDO protocols - only of the attestation private key.

John Bradley went into how the HMAC Secret Extension https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html#sctn-hmac-secret-extension could be useful in this scenario, barring the limitation that only the platform has access to the HMAC key. He said that a new extension is in the works without that limitation.