Re: [webauthn] Portability of private keys

Yes, those are legitimate issues we (Yubico) haven't yet solved, and WebAuthn does not yet attempt to solve them either. On the other hand, RPs could provide recovery options much like the password recovery schemes in use today.

I've had thoughts about that kind of standardised key management protocol as well, but I'd say that's well outside the scope of the initial ("Level 1") release of the WebAuthn spec. It might be possible to add that later in a way that would be somewhat compatible with existing registrations, but I'm skeptical about the feasibility of it. For starters, the website domains you register with aren't saved in (or even exposed to) the authenticator - in fact some authenticators won't actually store anything at all, and instead encrypt the data and "store" it in the credential ID on the server - so you'd need to maintain a separate list of domains for the management client to connect to. Couple that with how every RP will have their own unique quirks in how they manage accounts and registrations, and I don't foresee such a protocol being widely adopted even if one exists.

Anyway, this issue tracker isn't the place for extended discussion of this kind; see :

>If you want to have a general discussion about the specification and its goals, it should happen on the mailing list.

GitHub Notification of comment by emlun
Please view or discuss this issue at using your GitHub account

Received on Wednesday, 11 April 2018 16:00:20 UTC