Re: [w3ctag/design-reviews] Broadening the user base of WebAuthn (Issue #686) from Peter Linss on 2022-02-02 (public-webapps-github@w3.org from February 2022)

From: Peter Linss <notifications@github.com>
Date: Wed, 02 Feb 2022 08:38:09 -0800
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/686/1028128732@github.com>

I was imagining a mechanism where a hardware based key could be used to sign synchronized keys (and the web site would rely on being presented with any key signed by the hardware key, basically using the hardware key like CAs do their root keypair but using an intermediate key on a daily basis). This would allow the synchronized keys to expire rapidly and be regenerated offline by using the hardware key and any of the synchronized keystores.

Your response indicated that's not how the device-key extension works. Can you explain more about what device-key extension is meant to be used for then? And have you considered a design like I mentioned? 

-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/686#issuecomment-1028128732
You are receiving this because you are subscribed to this thread.

Message ID: <w3ctag/design-reviews/issues/686/1028128732@github.com>

Received on Wednesday, 2 February 2022 16:38:21 UTC