- From: Emil Lundberg <emil@yubico.com>
- Date: Mon, 22 Oct 2018 12:19:53 +0200
- To: W3C Web Authn WG <public-webauthn@w3.org>
- Cc: Christopher Harrell <cnh@yubico.com>, Dain Nilsson <dain@yubico.com>
Received on Monday, 22 October 2018 10:20:27 UTC
Hi all, Here is our current draft of the recovery extension idea I presented at TPAC today. We don't yet feel comfortable sharing the details of the crypto in a public document, since we haven't yet had it properly vetted, but you're welcome to come ask and I can give you an informal outline of our idea. Extension draft: https://gist.github.com/emlun/74a4d8bf53fd760a5c5408b418875e2b Presentation slides: https://docs.google.com/presentation/d/1gjrgrh0dURyxj4o-yfzrXt6f220XbUghjSo9vDb6O60 I noted some comments during the discussion following the presentation: - Say I have main authnr A, backup authnr B. Let's say B is much less capable than A. Lose A. Now I buy a new main authenticator C, and want B to still be a backup for C instead of using C as a backup for B. - This is currently doable, but requires recovering with B at every RP, then registering C at every RP. Would it be possible to "forward" recovery from B to C, so I only need to "associate" B with C and then recover with C directly? - Make the `generate` action apply to create() as well. There's no guarantee that get() will ever be called, but there is a guarantee that create() has been called at least once. - Provide transports in `generate` so that CaBLE works for recovery ceremony I look forward to your additional comments and questions. -- Emil Lundberg Software Developer | Yubico <http://www.yubico.com/>
Received on Monday, 22 October 2018 10:20:27 UTC