[webauthn] Pull Request: PRF extension. from Adam Langley via GitHub on 2020-05-25 (public-webauthn@w3.org from May 2020)

From: Adam Langley via GitHub <sysbot+gh@w3.org>
Date: Mon, 25 May 2020 21:43:52 +0000
To: public-webauthn@w3.org
Message-ID: <pull_request.opened-422905298-1590443031-sysbot+gh@w3.org>

agl has just submitted a new pull request for https://github.com/w3c/webauthn:

== PRF extension. ==
Some applications such as password managers have requested the ability
to associate a symmetric key with a credential. The CTAP2 `hmac-secret`
extension allows something very like this, and is already widely
deployed. The limitation is that it's not possible to get an HMAC output
during registration because the extension only provides outputs for
assertions and it requires user presence. That gave me pause and we
could, instead, use the new credBlob extension. But I think the utility
of being able to rotate keys, and having existing hardware support, is
compelling enough and we'll have to see whether RPs can tolerate needing
two touches to setup.

See https://github.com/w3c/webauthn/pull/1424

Received on Monday, 25 May 2020 21:43:54 UTC