W3C home > Mailing lists > Public > public-webauthn@w3.org > July 2021

Re: [webauthn] Syncing Platform Keys, Recoverability and Security levels (#1640)

From: certainlyNotHeisenberg via GitHub <sysbot+gh@w3.org>
Date: Mon, 19 Jul 2021 18:19:09 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-882759298-1626718747-sysbot+gh@w3.org>
Worth noting also that solutions like [Apple's keychain syncing](https://support.apple.com/guide/security/secure-keychain-syncing-sec0a319b35f/1/web/1) (mentioned above by @dwaite and @rmondello) are ultimately password based. So although such solutions can help prevent RPs from requiring users to create _new_ passwords, it doesn't eliminate passwords altogether. 

> When a user enables iCloud Keychain for the first time, the device establishes a circle of trust and creates a syncing identity for itself. The syncing identity consists of a private key and a public key. The public key of the syncing identity is put in the circle, and the circle is signed twice: first by the private key of the syncing identity, then again with an asymmetric elliptical key (using P-256) **derived from the user’s iCloud account password.** 

(emphasis my own)

And further, in some sense it makes the root password (in this case an iCloud password) all the more vulnerable, since the attacker's prize for compromising it is all that much bigger.

GitHub Notification of comment by certainlyNotHeisenberg
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1640#issuecomment-882759298 using your GitHub account

Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 19 July 2021 18:19:11 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:44 UTC