Mike,
I was leaning the other way. Since the NIST approach is forcing us to build loopholes in our criteria, I continue to think that being more specific limits
the risk of ‘another version "born" outside of FIDO.’ NIST has been open about their lack of concern for assessable criteria, and building “flexibility/ambiguity” may make sense from their perspective; perhaps not from ours.
As written, the current guidance seems to be that Cryptographic Software Authenticators can now ignore the prohibition against “facilitate the cloning of the secret key onto
multiple devices,” if they implement other controls that WE CANNOT assess. I assume this is predicated on risk assessments performed by NIST on FIDO implementations and not hypothetical future protocols. So, I’m thinking maybe we should consider retaining
our limitation. Someone comes up with a new approach, we can update again. Even at our glacial pace, we’re still more agile than NIST.
😊
jimmy
From: Mike Magrath <mmagrath@easydynamics.com>
Sent: Thursday, November 21, 2024 12:09 PM
To: IA WG <wg-idassurance@kantarainitiative.org>
Subject: [WG-IDAssurance] Re: Proposed Passkey notice criteria
A couple of comments...
Regards,
Mike
Michael Magrath
(he/him) | Director of Identity Policy and Industry Relations |
Easy Dynamics Corp
mmagrath@easydynamics.com |
703-944-1090
From: Richard G. WILSHER (@Zygma Inc.) <RGW@Zygma.biz>
Sent: Thursday, November 21, 2024 10:47 AM
To: IA WG <wg-idassurance@kantarainitiative.org>
Subject: [WG-IDAssurance] Proposed Passkey notice criteria
I believe that the list of criteria which should be referenced in the proposed notice are as follows:
63B# - 0410, 0420,0430, 0440, 0450, 0460, 1150, 1160, 1210, 1220, 1230, 1240, 1270, 1280, 1290, 1300, 1310, 1320, 1330, 1450, 1460, 1470, 1480, 1490, 1500, 1510, 1520, 1530, 1540, 1550
These have been previously brought to the IAWG’s attention when we were meddling with the actual text of some of these.
Richard G. WILSHER
CEO & Founder, Zygma Inc.
www.Zygma.biz
+1 714 797 9942