Re: [webauthn] Can the private keys be used for other cryptographic operations? (#1595)

@Firstyear 100% agree. I would much rather follow a community vetted process than try to shoehorn WebAuthn into a solution it wasn't designed for. I do think it may be difficult, though, to expand the spec given how tightly coupled WebAuthn is to authentication, even in name.

How can we amplify this proposal for wider consideration?

From a security perspective, there are _very_ compelling reasons to open up secure device hardware to web apps. For anyone who's interested, I'd suggest checking out this [Pomcor blog post and presentation](https://pomcor.com/2017/06/02/keys-in-browser/). As they say, "Use of cryptography in web apps has been hindered by the problem of where to store cryptographic keys." Without access to secure device hardware (that's more general than the auth-only approach of WebAuthn), the only options are fundamentally insecure. How tragic! Imagine how much more powerful the web would be if hardware backed cryptography were available to web apps, especially with the rise of web 3 decentralized systems.

Anyway, now I'm just advocating ;) but would love fellow advocates to help push the cause forward!

-- 
GitHub Notification of comment by certainlyNotHeisenberg
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1595#issuecomment-816814994 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Friday, 9 April 2021 16:50:43 UTC