W3C home > Mailing lists > Public > public-webauthn@w3.org > November 2018

Re: [webauthn] Recovering from Device Loss

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Tue, 06 Nov 2018 15:42:18 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-436298435-1541518937-sysbot+gh@w3.org>
@watahani We don't want to publish the crypto details just yet - I don't think we'll keep it secret, but we also don't want to risk people starting to use it before we've had it vetted by external cryptography experts.

You're right that the `id` in that response is similar to a WebAuthn credential ID. The public key would be derived from the "public key seed" and a random nonce, and the `id` would be derived from the public key in such a way that the recovery authenticator can reconstruct the private key from the `id` (again, we're not publishing the details just yet). The main authenticator doesn't need to store anything except for the "public key seed" - both the `id` and the `publicKey` would be stored by the Relying Party.

GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/931#issuecomment-436298435 using your GitHub account
Received on Tuesday, 6 November 2018 15:42:19 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:35 UTC