Re: a proof method using webauthn/passkeys from Orie Steele on 2022-11-18 (public-credentials@w3.org from November 2022)

From: Orie Steele <orie@transmute.industries>
Date: Fri, 18 Nov 2022 10:23:43 -0600
To: Nikos Fotiou <fotiou@aueb.gr>
Cc: public-credentials@w3.org
Message-ID: <CAN8C-_LO4YQSvx=c8HhRBaC5M3o_LydUVEKTe8OL1qa+SSkf6A@mail.gmail.com>

Very interesting.

I made a similar demo a while back and tried to bind it to did:key, but
that failed for several reasons (mostly WebAuthN only produces signatures
for authentication, so the identifier you get can't do much).

I feel like there should be a way to add did:jwk to this trivially,
perhaps even including some of the additional details in x5c/ x5u.

In this issue on the did:jwk method spec:
https://github.com/quartzjer/did-jwk/issues/12

I proposed extending did:jwk with additional method specific content...
this seems very aligned with what you are proposing regarding the base64url
encoding of WEbAuthn related data.

I'd love to collaborate on this further, especially now that chrome
supports platform authenticators, I don't even need the Yubikey part (which
I had to use in my previous experiment), because using an Apple laptop with
fingerprint reader works now.

OS

On Fri, Nov 18, 2022 at 3:45 AM Nikos Fotiou <fotiou@aueb.gr> wrote:

> Hi all,
>
>
>
> I would like to propose a new proof method and I would really love your
> feedback.
>
>
>
> The proposed method targets cloud-based wallets and it enables proofs
>  generated by user-controlled devices using WebaAuthN/Passkeys. The idea is
> very simple: the digest of a DID document/VC/VP is used as the WebAuthN
> “challenge” (see this article by Yubico for more details
> https://developers.yubico.com/WebAuthn/Concepts/Using_WebAuthn_for_Signing.html
> )
>
>
>
> I have created a demo page that emulates the functionality that should be
> implemented by a cloud-based wallet https://excid-io.github.io/fido2-sign/
> (source code https://github.com/excid-io/fido2-sign). A proof should then
> include in addition to the signature, the “authenticatorData” and the
> base64url encoded “clientDataJSON”. The demo has been tested with
> Edge/Chrome on windows with yubikey, Safari on iOS 16/MacOS Ventura
> (passkey), and it fails with Firefox.
>
>
>
> Best,
>
> Nikos
>
>
>
> Nikos Fotiou - https://www.fotiou.gr
>
> Researcher - Mobile Multimedia Laboratory
>
> Athens University of Economics and Business
>
> https://mm.aueb.gr
>
>
>

-- 
*ORIE STEELE*
Chief Technical Officer
www.transmute.industries

<https://www.transmute.industries>

Received on Friday, 18 November 2022 16:24:07 UTC