- From: John Bradley via GitHub <sysbot+gh@w3.org>
- Date: Thu, 29 Apr 2021 16:56:19 +0000
- To: public-webauthn@w3.org
This provides a way to use a key stored in the device hardware to generate a new key value based on a value (seed) passed in as an extension on the getAssertion request. It would be up to the application to turn that value into one or more public key pairs using a KDF function using the keys output as the "PRF" input to the KDF. That is where the PRF name comes from I assumed. https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-108.pdf https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf So you can get symmetric or asymmetric keys for the application, but there is no attestation or proof any key is tied to a particular credential. It however provides a secure way to store the seed for generating multiple symmetric keys if you are doing symmetric encryption in an app or on a server. So the PRF extension is probably a better fit for encryption rather than signing. I think what you are looking for signing is more of a HSM or openPGP card backend that can be used to provide cross-domain signatures. -- GitHub Notification of comment by ve7jtb Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1595#issuecomment-829429838 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 29 April 2021 16:56:21 UTC