Re: [webauthn] Can the private keys be used for other cryptographic operations? (#1595)

@agl Great news, thanks for your work in pushing this forward. I do agree with @Firstyear that it's a bit confusing at the moment what the extension does in detail — even the name took me a bit to grok. This may just be due to my current lack of familiarity though.

To your question about use cases not covered... one thing comes to mind that may or may not be relevant. It's in the spirit of enabling web apps to do what mobile apps can do (in terms of hardware backed crypto). Mobile apps can perform ECDH key exchange and can call specific functions for that purpose. For example, in the iOS documentation see [here](https://developer.apple.com/documentation/security/certificate_key_and_trust_services/keys/storing_keys_in_the_secure_enclave) and [here](https://developer.apple.com/documentation/security/1644033-seckeycopykeyexchangeresult). My sense is that this would be possible to do by bulding on the PRF extension, but I mention it in case not. Even if possible, perhaps it would be significantly easier with a dedicated function as in the mobile case?

In general, it would probably help adoption if the interfaces for mobile and web apps using hardware backed crypto were as similar as possible, both in terms of functionality and terminology. But perhaps that's stretching too far from the current specs.

-- 
GitHub Notification of comment by certainlyNotHeisenberg
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1595#issuecomment-827024758 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Monday, 26 April 2021 17:40:25 UTC