[webauthn] Merged Pull Request: PRF extension. from Adam Langley via GitHub on 2020-07-01 (public-webauthn@w3.org from July 2020)

From: Adam Langley via GitHub <sysbot+gh@w3.org>
Date: Wed, 01 Jul 2020 19:07:53 +0000
To: public-webauthn@w3.org
Message-ID: <pull_request.closed-422905298-1593630471-sysbot+gh@w3.org>

agl has just merged agl's pull request 1424 for https://github.com/w3c/webauthn:

== PRF extension. ==
Some applications such as password managers have requested the ability
to associate a symmetric key with a credential. The CTAP2 `hmac-secret`
extension allows something very like this, and is already widely
deployed. The limitation is that it's not possible to get an HMAC output
during registration because the extension only provides outputs for
assertions and it requires user presence. That gave me pause and we
could, instead, use the new credBlob extension. But I think the utility
of being able to rotate keys, and having existing hardware support, is
compelling enough and we'll have to see whether RPs can tolerate needing
two touches to setup.


<!--
    This comment and the below content is programatically generated.
    You may add a comma-separated list of anchors you'd like a
    direct link to below (e.g. #idl-serializers, #idl-sequence):

    Don't remove this comment or modify anything below this line.
    If you don't want a preview generated for this pull request,
    just replace the whole of this comment's content by "no preview"
    and remove what's below.
-->
***
<a href="https://pr-preview.s3.amazonaws.com/agl/webauthn/pull/1424.html" title="Last updated on Jun 29, 2020, 9:21 PM UTC (b036d14)">Preview</a> | <a href="https://pr-preview.s3.amazonaws.com/w3c/webauthn/1424/f10427d...agl:b036d14.html" title="Last updated on Jun 29, 2020, 9:21 PM UTC (b036d14)">Diff</a>

See https://github.com/w3c/webauthn/pull/1424

Received on Wednesday, 1 July 2020 19:07:54 UTC