- From: John Bradley via GitHub <sysbot+gh@w3.org>
- Date: Wed, 28 Apr 2021 22:20:27 +0000
- To: public-webauthn@w3.org
It is key derivation. Based on a nonce as input you get back a key that you can use to directly encrypt/decrypt with or derive other keys from. The goal of this extension is not really to allow non-repudiation of signatures if that is what you are after. It will however allow applications to encrypt data at rest without needing the user to input a password to be used as part of the key derivation. This might be useful for password managers or other cloud services that don't want to be able to decrypt user information without the user being present. I think this is separate from general-purpose hardware-backed key storage. While WebAuthn is great and all that. I would rather see browsers support something like[ openPGP card]([url](https://gnupg.org/ftp/specs/OpenPGP-smart-card-application-3.4.1.pdf)) as a backend for webCrypto, if you want hardware-backed signing and encryption. That is already implemented on a lot of the current Fido roaming authenticators and could easily be added to any unlocked javacard device via open source. Managing a smart card would need to be simplified from what is currently in openPGP card but the API is probably a much closer fit than CTAP for general crypto operations. -- GitHub Notification of comment by ve7jtb Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1595#issuecomment-828819051 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 28 April 2021 22:20:29 UTC