Re: [webauthn] Recovering from Device Loss (#931)

> Am I missing some reason for why separate invocations of HKDF would be beneficial?

My thinking here was implementation rather than any cryptographic properties.

```
cred_key = HKDF(...)
mac_key = HKDF(...)
```

vs

```
key_mat = HKDF(...)
cred_key = key_mat[..]
mac_key = key_mat[..]
```

But as I said, its a very minor quibble!

> On the addition of `S`, I would consider an alternative take on the non-malicious main authenticator: What if a flaw in either the destruction or the generation of `e` is found in the main authenticator (through compromise or other means)? I'd argue that if there is no need for the main authenticator to ever possess the private key, it would be desirable for it not to ever be exposed to it.

Okay, I see the benefit here, but it only applies if you have a main authenticator with a bad RNG, the adversary learns `S` and the RP has already rejected the main authenticator. Then adding `S` does prevent the attacker's use of the honestly registered recovery credential. 

Perhaps its worth adding in some security guidance for RP's in event they believe an authenticator (or an entire class of them) have been compromised. They must obviously reject main or recovery credentials if they have reason to believe the authenticator owning them is compromised. Additionally, if they reject a main authenticator, they should also consider rejecting any recent update of the recovery credentials, as these could have been forged by the attacker / main authenticator as a backdoor in the event the main authenticator is revoked. 

-- 
GitHub Notification of comment by galadran
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/931#issuecomment-542734501 using your GitHub account

Received on Wednesday, 16 October 2019 14:39:40 UTC