- From: certainlyNotHeisenberg via GitHub <sysbot+gh@w3.org>
- Date: Mon, 12 Apr 2021 14:42:29 +0000
- To: public-webauthn@w3.org
> FYI/FWIW, there is an existing, relevant, _tho apparently dormant_, [Hardware-backed Security Services Community Group](https://www.w3.org/community/hb-secure-services/), whose unfinished draft report takes a stab at a WebCrypto-linked [Secure Credential Storage API](https://rawgit.com/w3c/websec/gh-pages/hbss.html#concept-throw:~:text=Secure%20Credential%20Storage%20API,-This). @equalsJeffH Yes, thanks for highlighting this here. I also stumbled across this dormant group and spec draft. This spec and another one I found have just an author or two — unfortunately seems that they never went anywhere. @rlin1 Interesting about the `isKeyRestricted` property. The fact that this is an option maybe suggests the spec authors wanted to leave open use cases beyond authentication? @Firstyear Perhaps using one restricted key for authentication only and another unrestricted key for other cryptographic operations would address part of your concern. Unfortunately, WebCrypto isn't really a comparable solution. It does enable more general cryptography but not tied to the device hardware, which makes it vulnerable to malware, physical takeover, etc. @nuno0529 Are you saying that because the metadata can be arbitrary, signing data for purposes other than simple authentication is allowed by the spec? -- GitHub Notification of comment by certainlyNotHeisenberg Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1595#issuecomment-817870805 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 12 April 2021 14:42:30 UTC