W3C home > Mailing lists > Public > public-webauthn@w3.org > July 2021

Re: [webauthn] Syncing Platform Keys, Recoverability and Security levels (#1640)

From: Rolf Lindemann via GitHub <sysbot+gh@w3.org>
Date: Tue, 06 Jul 2021 13:57:44 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-874784041-1625579862-sysbot+gh@w3.org>
Regarding the security characteristic, for me there are 4 important aspects:

1. Which keys can be cloud-synchronized? None, individual keys, all - and how could the RP tell by looking at the registration response/attestation.

2. How are exported keys protected?
2.1 Exported in-the-clear
2.2 Can only be restored to authenticators implementing same or higher key sync protection scheme (e.g. no restore to authenticators that would export in the clear)
2.3 Can only be restored to authenticators with same or higher security level (e.g. no restore to authenticators without TEE)
2.4 Can only be restored to authenticators of the same model (i.e. AAGUID won’t change)

3. Are multiple instances of the keys allowed (e.g. phone + PC)?

4. What prevents the "sync" provider from disclosing the keys 

GitHub Notification of comment by rlin1
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1640#issuecomment-874784041 using your GitHub account

Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Tuesday, 6 July 2021 13:57:45 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:44 UTC