Re: [webauthn] Add keyStorage enum to ScopedCredentialOptions

@AngeloKai wrote:
> Authenticators with cross-platform roaming capability may or may not
 store key materials within the authenticator boundary

what you mean by "key materials" is actually the [credential private 
key](, yes?

> If an authenticator doesn't store key material, the RP needs to do 
additional actions of storing keys.

The implicit assumption in the spec has been that such authenticators 
(authnrs) would simply use their wrapped private keys as the 
credential ID they return to the RP.  This is how most (all?) U2F 
authenticators work today, yes? 

from the U2F Raw Messages spec:
> A key handle ... This a handle that allows the U2F token to identify
 the generated key pair. U2F tokens MAY wrap the generated private key
 and the application id it was generated for, and output that as the 
key handle. 

The RP always needs to retain the Credential ID returned by 
makeCredential() and so it is transparent to the RP whether or not it 
is storing the credential private key.

This is another candidate item to spell out more clearly in the spec 
in an "implementation considersations" section. 

GitHub Notification of comment by equalsJeffH
Please view or discuss this issue at 
using your GitHub account

Received on Wednesday, 1 March 2017 19:13:26 UTC