openscreenprotocol
openscreenprotocol copied to clipboard
w3c
[Auth] Certificates and devices
These comments relate to the authentication discussion of the open screen protocol. In particular I wanted to comment on the devices and their certificate discussion from the last F2F meeting.
There is a discussion in the meeting notes:
an area for exploration, with hardware backed certificates, show device number as trusted information in the UI. we could eventually find a way for trusted manufacturer public keys to incorporated
… another idea that could be explored is generating new certificates when changing the friendly name of the device. it's about the integrity of the information we display to the user
Although the device number from a trusted device is a truth, anybody can produce a cert with any ID as the subject (if there is no root CA then there is no trusted assertion of the key-to-ID binding). If an attacker persuades the client to trust the bogus cert - because the subject matches the known ID of the receiver in the same room, the controller will authenticate with unknown receivers. IDs cannot be proxies for public keys. Perhaps receivers need to have their public keys stamping on the front?
If there is a trusted common root CA and device specific certificate, then TLS almost wins anyway. Authentication of the specific physical device just needs a quick visual test through the channel before any confidential data. (I suppose the equivalent step in SSL is the check that the DNS domain matches the certificate subject)
is there a way for a controller and receiver to agree on the mechanism to use for passcode exchange (e.g, QR code, NFC, or other mechanisms)?
… it could enable the receiver to choose which UI to present
This looks a bit like the Wi-fi alliance device provisioning protocol 1.0 which seems to enable all of these. See https://www.wi-fi.org/discover-wi-fi/specifications
These are some interesting thoughts, thank you for noting them.
Trust of a name-to-key binding in the 1.0 spec happens as part of the mutual authentication handshake outlined in the spec, which accepts the current friendly name offered by the device if it is able to prove ownership of the associated certificate. If the name or certificate changes, then the binding is flagged or forgotten. Sections 3, 4, and 8.5.2 of the spec discuss this; we still have some details to work through.
Using a separate, trusted signing certificate for name-to-key binding is also possible, but not currently part of the 1.0 spec. I feel it is something we should look at as a future enhancement.
We don't have a 100% solution to certificate-name binding in the current spec. One idea is that a name like "My Living Room TV" from mDNS can be presented alongside the PSK during the authentication ceremony, and by completing the ceremony the user will bind that name to the certificate. That way when the user is selecting the device in the future, they will see "Living Room TV" and not some random string from the SPKI.
https://w3c.github.io/openscreenprotocol/#security-ui
I think this section of the spec could be improved, but would need to think about it and perhaps consult with folks who work on security UI for guidance here. Also, it's tricky to write it in a way that doesn't dictate exactly what the UI should look like (since that's not really the job of the protocol itself). Maybe others have thoughts here.