Re: [webauthn] Can the private keys be used for other cryptographic operations? (#1595) from Firstyear via GitHub on 2021-05-01 (public-webauthn@w3.org from May 2021)

From: Firstyear via GitHub <sysbot+gh@w3.org>
Date: Sat, 01 May 2021 01:59:49 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-830488127-1619834388-sysbot+gh@w3.org>

> It is constructed on top the [`hmac-secret` CTAP extension](https://fidoalliance.org/specs/fido-v2.1-rd-20210309/#sctn-hmac-secret-extension), yes, but that doesn't mean it's a message authentication algorithm. `hmac-secret` "is used by the platform to retrieve a symmetric secret from the authenticator", and the PRF extension in turn uses that to construct pseudo-random functions on top of it. See also for example [HKDF](https://tools.ietf.org/html/rfc5869), which similarly constructs a key derivation/expansion algorithm on top of HMAC.

Cool, so as discussed on the other thread, this would need to be renamed to "Key Derivation Function" then :) 

Regardless, I think we should consider an extension for allowing data signatures to be produced at this point since I think that's what's required here. 

-- 
GitHub Notification of comment by Firstyear
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1595#issuecomment-830488127 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Saturday, 1 May 2021 01:59:55 UTC