- From: Adam Langley via GitHub <sysbot+gh@w3.org>
- Date: Mon, 25 May 2020 21:43:52 +0000
- To: public-webauthn@w3.org
agl has just submitted a new pull request for https://github.com/w3c/webauthn: == PRF extension. == Some applications such as password managers have requested the ability to associate a symmetric key with a credential. The CTAP2 `hmac-secret` extension allows something very like this, and is already widely deployed. The limitation is that it's not possible to get an HMAC output during registration because the extension only provides outputs for assertions and it requires user presence. That gave me pause and we could, instead, use the new credBlob extension. But I think the utility of being able to rotate keys, and having existing hardware support, is compelling enough and we'll have to see whether RPs can tolerate needing two touches to setup. See https://github.com/w3c/webauthn/pull/1424
Received on Monday, 25 May 2020 21:43:54 UTC