- From: Rolf Lindemann via GitHub <sysbot+gh@w3.org>
- Date: Tue, 06 Jul 2021 13:57:44 +0000
- To: public-webauthn@w3.org
Regarding the security characteristic, for me there are 4 important aspects: 1. Which keys can be cloud-synchronized? None, individual keys, all - and how could the RP tell by looking at the registration response/attestation. 2. How are exported keys protected? 2.1 Exported in-the-clear 2.2 Can only be restored to authenticators implementing same or higher key sync protection scheme (e.g. no restore to authenticators that would export in the clear) 2.3 Can only be restored to authenticators with same or higher security level (e.g. no restore to authenticators without TEE) 2.4 Can only be restored to authenticators of the same model (i.e. AAGUID won’t change) 3. Are multiple instances of the keys allowed (e.g. phone + PC)? 4. What prevents the "sync" provider from disclosing the keys -- GitHub Notification of comment by rlin1 Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1640#issuecomment-874784041 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Tuesday, 6 July 2021 13:57:45 UTC