Merge pull request #2 from w3c/cryptographic-attestation

jasonjgw · web-flow · commit fbd57c8ee193 · 2021-11-30T10:38:06.000-05:00
Add a section summarizing the "cryptographic attestation of personhood" proposal by Cloudflare. Add associated bibliography entries.
diff --git a/biblio.js b/biblio.js
@@ -18,6 +18,20 @@ respecConfig.localBiblio = {
 		"publisher": "Anti-Phishing Working Group",
 		"href": "http://antiphishing.org/APWG_Phishing_Activity_Report_Jul_05.pdf"
 	},
+    "attestation": {
+	"authors": ["Thibault Meunier"],
+	"title": "Humanity wastes about 500 years per day on CAPTCHAs. It’s time to end this madness",
+	"publisher": "Cloudflare",
+	"date": "13 May 2021",
+	"href": "https://blog.cloudflare.com/introducing-cryptographic-attestation-of-personhood/"
+    },
+    "attestation-zero-knowledge": {
+	"authors": ["Watson Ladd"],
+	"title": "Introducing Zero-Knowledge Proofs for Private Web Attestation with Cross/Multi-Vendor Hardware",
+	"publisher": "Cloudflare",
+	"date": "12 August 2021",
+	"href": "https://blog.cloudflare.com/introducing-zero-knowledge-proofs-for-private-web-attestation-with-cross-multi-vendor-hardware/"
+    },
 	"breaking": {
 		"title": "Breaking CAPTCHAs Without Using OCR",
 		"date": "",
diff --git a/index.html b/index.html
@@ -38,6 +38,7 @@ <h3>The CAPTCHA Context</h3>
 						                        <h3>The Accessibility Challenge</h3>
 									 
 			<p>While online users continue broadly to report finding traditional CAPTCHAs frustrating to complete, it is generally assumed that an interactive CAPTCHA can be resolved within a few incorrect attempts. The point of distinction for people with disabilities is that a CAPTCHA not only separates computers from humans, but also often prevents people with disabilities from performing the requested procedure. For example, asking users who are blind, visually impaired or dyslexic to identify textual characters in a distorted graphic is asking them to perform a task they are intrinsically least able to accomplish. Similarly, asking users who are deaf, hard of hearing, or living with auditory processing disorder to identify and transcribe in writing the content of an audio CAPTCHA is asking them to perform a task they’re intrinsically least likely to accomplish. Furthermore, traditional CAPTCHAs have generally presumed that all web users can read and transcribe English-based words and characters, thus making the test inaccessible to a large number of non-English speaking web users worldwide. Frankly, a design pattern that expects multiple attempts from users as a matter of course is arguably inaccessible by design to persons living with an anxiety disorder as well as to many living with a range of other cognitive and learning disabilities.</p>
+			<p>As software developers at Cloudflare have observed [[attestation]], considerable time that could be devoted to more productive tasks is lost as a result of responding to CAPTCHA challenges. According to the authors' data, an average of 32 seconds are required for a user to complete a CAPTCHA. Applied to a large user population, the total time lost becomes significant. Although reliable estimates are not readily available, it is reasonable hypothesize that, even for people with disabilities who can complete CAPTCHA challenges successfully, albeit with some difficulty or inconvenience, the typical time devoted to the task is likely to be longer than the average for the population as a whole. Hence the cost can be assumed to be disproportionately large compared with that incurred by the general population.</p>.
 			<p>While Accessibility best practices require, and <a>assistive technologies</a> expect, substantive graphical images to be authored with text equivalents, <a>alternative text</a> in CAPTCHA images would clearly be self-defeating. CAPTCHAs are, consequently, allowed under the W3C's <a href="http://www.w3.org/TR/UNDERSTANDING-WCAG20/text-equiv-all.html"> Web Content Accessibility Guidelines (WCAG)</a> provided that "text alternatives that identify and describe the purpose of the non-text content are provided, and alternative forms of CAPTCHA using output modes for different types of sensory perception are provided to accommodate different disabilities."</p>
 
 			<p>It is important to understand the limitation of the WCAG CAPTCHA exemption. It applies only to the content of the CAPTCHA. WCAG still requires that alternative text identify the graphical object as a CAPTCHA. Conformance with all other WCAG guidelines also remains critical for web accessibility.</p>
@@ -153,11 +154,15 @@ <h4>Biometrics</h4>
 255 of the Communications Act, 36 CFR 1194, Appendix C</a>, section 403 in the
 United States [[36-cfr-1194]].</p>
 
-<p>For this reason, biometric identification systems should be designed to allow users to choose among multiple and unrelated biometric identifiers. With that sole caveat, properly designed biometric identification systems are particularly attractive in situations where it is necessary to identify a particular human user. Their reliability is high, the cognitive load placed on the user low, and they are particularly difficult to foil. They have not yet been rendered suitable, however, in circumstances when it is necessary to preserve the user’s anonymity (i.e., the task is verifying that the user is human, without providing identifying information).</p>
-
+<p>For this reason, biometric identification systems should be designed to allow users to choose among multiple and unrelated biometric identifiers. With that sole caveat, properly designed biometric identification systems are particularly attractive in situations where it is necessary to identify a particular human user. Their reliability is high, the cognitive load placed on the user low, and they are particularly difficult to foil.  However, conventional applications of biometric authentication verify, and therefore disclose, the user's identity. They are thus unsuitable under circumstances in which it is desirable to preserve the user's anonymity reasons of privacy, while nevertheless establishing that the entity attempting to access an online service is human. The scheme described in the next section is designed to solve this problem.</p>
 
 			</section>
+			<section>
+			  <h4>Cryptographic Attestation of Personhood</h4>
+			  <p>An approach designed to verify that the user is a person, while preserving individual privacy, has recently been proposed by Cloudglare [[attestation]]. It is built upon the Web Authentication (WebAuthn) API [[webauthn-1]]. The WebAuthn registration process is invoked to establish that the user is in control of a hardware authentication device produced by a known and trusted manufacturer, as determined by a valid chain of digital certificates. If biometric authentication occurs in this procedure, as it typically does, then it is used only to unlock the private cryptographic key of the authentication device, and hence the user's identity is never explicitly disclosed to the party requesting evidence of personhood. A variant of this scheme has also been developed which offers stronger protection of privacy by not revealing the identity of the device manufacturer, which could be exploited in combination with other information to infer the user's identity.  This version of the approach requires the implementation of a protocol based on zer-knowledge proofs [[attestation-zero-knowledge]].</p>
+			  <p>Since the user is free to choose among a variety of authentication devices from reliable manufacturers, the hardware can be selected that best satisfies his or her accessibility-related needs and preferences. The inherent flexibility of the proposed approach is clearly advantageous to both security and accessibility.</p>
 			</section>
+		      </section>
 			<section id="noninteract">
 				<h3>Non-Interactive Stand-Alone Approaches</h3>
 

-Original file line number
+Diff line change
 						                        <h3>The Accessibility Challengeh3>
 			<p>While online users continue broadly to report finding traditional CAPTCHAs frustrating to complete, it is generally assumed that an interactive CAPTCHA can be resolved within a few incorrect attempts. The point of distinction for people with disabilities is that a CAPTCHA not only separates computers from humans, but also often prevents people with disabilities from performing the requested procedure. For example, asking users who are blind, visually impaired or dyslexic to identify textual characters in a distorted graphic is asking them to perform a task they are intrinsically least able to accomplish. Similarly, asking users who are deaf, hard of hearing, or living with auditory processing disorder to identify and transcribe in writing the content of an audio CAPTCHA is asking them to perform a task they’re intrinsically least likely to accomplish. Furthermore, traditional CAPTCHAs have generally presumed that all web users can read and transcribe English-based words and characters, thus making the test inaccessible to a large number of non-English speaking web users worldwide. Frankly, a design pattern that expects multiple attempts from users as a matter of course is arguably inaccessible by design to persons living with an anxiety disorder as well as to many living with a range of other cognitive and learning disabilities.p>
 +			<p>As software developers at Cloudflare have observed [[attestation]], considerable time that could be devoted to more productive tasks is lost as a result of responding to CAPTCHA challenges. According to the authors' data, an average of 32 seconds are required for a user to complete a CAPTCHA. Applied to a large user population, the total time lost becomes significant. Although reliable estimates are not readily available, it is reasonable hypothesize that, even for people with disabilities who can complete CAPTCHA challenges successfully, albeit with some difficulty or inconvenience, the typical time devoted to the task is likely to be longer than the average for the population as a whole. Hence the cost can be assumed to be disproportionately large compared with that incurred by the general population.p>.
 			<p>While Accessibility best practices require, and <a>assistive technologiesa> expect, substantive graphical images to be authored with text equivalents, <a>alternative texta> in CAPTCHA images would clearly be self-defeating. CAPTCHAs are, consequently, allowed under the W3C's <a href="http://www.w3.org/TR/UNDERSTANDING-WCAG20/text-equiv-all.html"> Web Content Accessibility Guidelines (WCAG)a> provided that "text alternatives that identify and describe the purpose of the non-text content are provided, and alternative forms of CAPTCHA using output modes for different types of sensory perception are provided to accommodate different disabilities."p>
 			<p>It is important to understand the limitation of the WCAG CAPTCHA exemption. It applies only to the content of the CAPTCHA. WCAG still requires that alternative text identify the graphical object as a CAPTCHA. Conformance with all other WCAG guidelines also remains critical for web accessibility.p>
 of the Communications Act, 36 CFR 1194, Appendix Ca>, section 403 in the
 United States [[36-cfr-1194]].p>
 -<p>For this reason, biometric identification systems should be designed to allow users to choose among multiple and unrelated biometric identifiers. With that sole caveat, properly designed biometric identification systems are particularly attractive in situations where it is necessary to identify a particular human user. Their reliability is high, the cognitive load placed on the user low, and they are particularly difficult to foil. They have not yet been rendered suitable, however, in circumstances when it is necessary to preserve the user’s anonymity (i.e., the task is verifying that the user is human, without providing identifying information).p>
+-
 +<p>For this reason, biometric identification systems should be designed to allow users to choose among multiple and unrelated biometric identifiers. With that sole caveat, properly designed biometric identification systems are particularly attractive in situations where it is necessary to identify a particular human user. Their reliability is high, the cognitive load placed on the user low, and they are particularly difficult to foil.  However, conventional applications of biometric authentication verify, and therefore disclose, the user's identity. They are thus unsuitable under circumstances in which it is desirable to preserve the user's anonymity reasons of privacy, while nevertheless establishing that the entity attempting to access an online service is human. The scheme described in the next section is designed to solve this problem.p>
 			section>
 +			<section>
 +			  <h4>Cryptographic Attestation of Personhoodh4>
 +			  <p>An approach designed to verify that the user is a person, while preserving individual privacy, has recently been proposed by Cloudglare [[attestation]]. It is built upon the Web Authentication (WebAuthn) API [[webauthn-1]]. The WebAuthn registration process is invoked to establish that the user is in control of a hardware authentication device produced by a known and trusted manufacturer, as determined by a valid chain of digital certificates. If biometric authentication occurs in this procedure, as it typically does, then it is used only to unlock the private cryptographic key of the authentication device, and hence the user's identity is never explicitly disclosed to the party requesting evidence of personhood. A variant of this scheme has also been developed which offers stronger protection of privacy by not revealing the identity of the device manufacturer, which could be exploited in combination with other information to infer the user's identity.  This version of the approach requires the implementation of a protocol based on zer-knowledge proofs [[attestation-zero-knowledge]].p>
 +			  <p>Since the user is free to choose among a variety of authentication devices from reliable manufacturers, the hardware can be selected that best satisfies his or her accessibility-related needs and preferences. The inherent flexibility of the proposed approach is clearly advantageous to both security and accessibility.p>
 			section>
 +		      section>
 			<section id="noninteract">
 				<h3>Non-Interactive Stand-Alone Approachesh3>