W3C home > Mailing lists > Public > public-webauthn@w3.org > April 2018

Re: [webauthn] Portability of private keys

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Wed, 11 Apr 2018 16:00:08 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-380505308-1523462406-sysbot+gh@w3.org>
Yes, those are legitimate issues we (Yubico) haven't yet solved, and WebAuthn does not yet attempt to solve them either. On the other hand, RPs could provide recovery options much like the password recovery schemes in use today.

I've had thoughts about that kind of standardised key management protocol as well, but I'd say that's well outside the scope of the initial ("Level 1") release of the WebAuthn spec. It might be possible to add that later in a way that would be somewhat compatible with existing registrations, but I'm skeptical about the feasibility of it. For starters, the website domains you register with aren't saved in (or even exposed to) the authenticator - in fact some authenticators won't actually store anything at all, and instead encrypt the data and "store" it in the credential ID on the server - so you'd need to maintain a separate list of domains for the management client to connect to. Couple that with how every RP will have their own unique quirks in how they manage accounts and registrations, and I don't foresee such a protocol being widely adopted even if one exists.

Anyway, this issue tracker isn't the place for extended discussion of this kind; see https://github.com/w3c/webauthn/issues/820#issuecomment-369131584 :

>If you want to have a general discussion about the specification and its goals, it should happen on the public-webauthn@w3.org mailing list.

GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/865#issuecomment-380505308 using your GitHub account
Received on Wednesday, 11 April 2018 16:00:20 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:32 UTC