-
Notifications
You must be signed in to change notification settings - Fork 167
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Biometric Criteria Extension #510
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this looks nominally ok but IMO requires some terminological polishing.
index.bs
Outdated
that could be leveraged when creating the credential. | ||
|
||
: Extension identifier | ||
:: `biometricBound` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the extension title is "Authenticator Biometric Criteria", yet the extension identifier is "biometricBound" which is inconsistent. FAR and FRR are "biometric matching criteria", yes? Perhaps the latter should be "biometricMatchingCriteria" ? And perhaps the section title ought to be "Biometric Authenticator Matching Criteria" ?
index.bs
Outdated
:: Biometric performance bounds: | ||
|
||
<pre class="idl"> | ||
dictionary biometricCriteria{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
perhaps biometricCriteria
should be authenticatorBiometricMatchingCriteria
?
index.bs
Outdated
|
||
: Client extension processing | ||
:: This extension can only be used during {{CredentialsContainer/create()}}. If the client supports the Authenticator Biometric Criteria | ||
Extension and biometric authenticators are available, it MUST use the first available biometric authenticator whose FAR and FRR match the bounds as provided. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we perhaps ought to define "biometric authenticators" up in terminology section, and then use [=biometric authenticators=]
here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks @gmandyam. Other than needing to (i think) define the input in terms of CBOR/CDDL and some further wordsmithing, this seems overall ok. HTH.
index.bs
Outdated
float FAR; | ||
float FRR; | ||
}; | ||
</pre> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
index.bs
Outdated
@@ -3093,6 +3096,43 @@ This [=registration extension=] and [=authentication extension=] enables use of | |||
01 -- Subitem 3: CBOR short for Matcher Protection Type Software | |||
</pre> | |||
|
|||
## Biometric Authenticator Matching Criteria Extension (biometricBound) ## {#sctn-authenticator-biometric-criteria-extension} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would title it:
"Biometric Authenticator Performance Bounds Extension"
index.bs
Outdated
## Biometric Authenticator Matching Criteria Extension (biometricBound) ## {#sctn-authenticator-biometric-criteria-extension} | ||
|
||
This [=registration extension=] allows a [=[RP]=] to specify the desired performance of a biometric authenticator | ||
that could be leveraged when creating the credential. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
suggest:
This [=registration extension=] allows [=[RPS]=] to specify the desired performance bounds for selecting [=biometric authenticators=] as candidates to be employed in a [=registration=] ceremony.
index.bs
Outdated
The FAR is the maximum false rejection rate for a biometric authenticator allowed by the [=[RP]=]. | ||
|
||
: Client extension processing | ||
:: This extension can only be used during {{CredentialsContainer/create()}}. If the client supports the Authenticator Biometric Criteria |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/Authenticator Biometric Criteria Extension/this extension/
index.bs
Outdated
:: Biometric performance bounds: | ||
|
||
<pre class="idl"> | ||
dictionary authenticatorBiometricMatchingCriteria{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
suggest:
s/ authenticatorBiometricMatchingCriteria/ authenticatorBiometricPerfBounds/
Thanks for review. Tried to address your comments in latest PR. Regarding CDDL, this extension is intended to terminate in the client and therefore has no required authenticator input. My interpretation of https://w3c.github.io/webauthn/#sctn-client-extension-processing is that CBOR definition is only required when a "client extension input can be used to determine the CBOR authenticator extension input." |
index.bs
Outdated
|
||
: Client extension processing | ||
:: This extension can only be used during {{CredentialsContainer/create()}}. If the client supports the this | ||
extension and at least one [=biometric authenticator=] is available, it MUST use the first available biometric authenticator whose FAR and FRR match the bounds as provided. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
First off: s/the this/this/
Second:
If the client supports the this extension and at least one biometric authenticator is available, it MUST use the first available biometric authenticator whose FAR and FRR match the bounds as provided.
This formulation would likely be confusing with the new hot-plugging approach for create()
. We no longer assume that there will be a single instant when you can list all "available" authenticators. Instead they will appear at some point (possibly immediately, e.g., platform authenticators) during the timeout, and the client can't know if the user will plug in an eligible biometric authenticator after the client has found a non-biometric authenticator. I therefore suggest reformulating this to something more like:
If the client supports this extension, it MUST NOT use a biometric authenticator whose FAR or FRR does not match the bounds as provided.
Thanks. Changes made; please review. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
just a few consistency items, otherwise LGTM
index.bs
Outdated
@@ -3861,6 +3864,45 @@ This [=registration extension=] and [=authentication extension=] enables use of | |||
01 -- Subitem 3: CBOR short for Matcher Protection Type Software | |||
</pre> | |||
|
|||
|
|||
## Biometric Authenticator Performance Bounds Extension (biometricBound) ## {#sctn-authenticator-biometric-criteria-extension} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: s/sctn-authenticator-biometric-criteria-extension/sctn-authenticator-biometric-perf-bounds/
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
suggest:
s/biometricBound/biometricPerfBounds/
index.bs
Outdated
as candidates to be employed in a [=registration=] ceremony. | ||
|
||
: Extension identifier | ||
:: `biometricMatchingCriteria` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
suggest:
s/biometricMatchingCriteria/biometricPerfBounds/
wrt #510 (comment) -- what do others think? |
Re #510 (comment) : Seems reasonable to me. The |
index.bs
Outdated
|
||
: Client extension processing | ||
:: This extension can only be used during {{CredentialsContainer/create()}}. If the client supports this | ||
extension, it MUST NOT use a biometric authenticator whose FAR or FRR does not match the bounds as provided. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How does client know these values? Are you expecting client to contact some authority who verifies it? FIDO metadata service?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, that is certainly one potential approach. Expectation is that authenticator would've gone through FIDO Biometric Cert, had its performance verified, and agreed to publish its performance data on the FIDO Metadata Service (MDS).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This whole thing seems really brittle. It's more likely to provide a false sense of security than to actually be accurate.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
so the above text perhaps ought to additionally indicate that various platform-specific means (eg some possibly based on the MDS) are anticipated for the client platform to use in order to have knowledge of these values.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Providing no data of this is kind is better than providing data that provides a false sense of security. Unless there are existing related deployments to cite that successfully use similar functionality, I would consider this too speculative to include in the specification.
Please consider creating a separate specification for this proposed extension. This could still be registered in the IANA WebAuthn Extensions registry, and therefore be available to implementers.
index.bs
Outdated
|
||
: Client extension processing | ||
:: This extension can only be used during {{CredentialsContainer/create()}}. If the client supports this | ||
extension, it MUST NOT use a biometric authenticator whose FAR or FRR does not match the bounds as provided. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This whole thing seems really brittle. It's more likely to provide a false sense of security than to actually be accurate.
I am sorry; I don't understand your exact concern.
Why is https://fidoalliance.org/specs/fido-uaf-v1.2-rd-20171128/fido-metadata-statement-v1.2-rd-20171128.html#dictionary-biometricaccuracydescriptor-members insufficient for this purpose? Do you believe FRR and FAR are not sufficiently defined in this specification, and therefore a new specification is needed?
I don't understand this concern as written. Perhaps you can explain further. Do you believe that FIDO MDS information on biometric accuracy will be inaccurate and/or unverified, for instance? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok, thx, LGTM.
index.bs
Outdated
|
||
: Client extension processing | ||
:: This extension can only be used during {{CredentialsContainer/create()}}. If the client supports this | ||
extension, it MUST NOT use a biometric authenticator whose FAR or FRR does not match the bounds as provided. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
so the above text perhaps ought to additionally indicate that various platform-specific means (eg some possibly based on the MDS) are anticipated for the client platform to use in order to have knowledge of these values.
Hi Mike -- it seems to me that you are proposing a process here that the WG has not itself decided upon and is up to the WG to impose rather than individual members. |
How would you feel about this if the specified requirement in the extension, instead of
was something more like this?
|
building on @emlun's fine suggestion, we perhaps ought to add a pointer to where one might obtain such metadata (as we have done elsewhere in the spec):
I note in FIDO Metadata Service section 3.3 "BiometricAccuracyDescriptor dictionary" that there is provision for conveying FAR, FRR, ERR, FAAR and other applicable metadata values. |
By the way I'd also like to note that in the end it falls on the RP to verify any claimed performance certification by inspecting the attestation statement, and not blindly trust the client to do this verification. It is thus not critical to the integrity of the protocol that the client can derive these properties perfectly or even reliably, but it is of course nice if the extension can enable failing early. |
@equalsJeffH @emlun So the extentions are vendor spepcifc that is they can do what they want, so including specifics may not be the correct way to go as that may dictate a specific implementaion |
I think what @emlun is teasing-out is a possible impl-cons Note or something similar, that's all. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
After the merge conflicts are resolved, I'm now OK with this being merged.
After the merge conflicts are resolved, I'm now OK with this being merged. |
@gmandyam can you fix the branch conflicts and merge |
Yes - I am working on it. I am getting a Travis build failure currently and am trying to debug. |
Biometric Selection Criteria extension
Preview | Diff