Re: [webauthn] Can the private keys be used for other cryptographic operations? (#1595)

We should refrain away from ideological and philosophical debates. This WebAuthn spec was meant for authentication. We are working hard to have a stronger user verifying 2FA capable phishing resistant authentication. And webauthn signature (not raw signature) is important part of above promise. 

There are other specs which deal with general purpose cryptography operations, namely WebCrypto. However, that spec does not support a cross-platform hardware keys IIUC. And it is not supported across platforms with a user verifying ability.

It is natural for have newer use cases. And I would like people on this thread to be crisp about that use case. That will help move things along. 

I see two new general patterns. A desire to encrypt things. And a desire to have raw signatures. 

For encrypting things, we have hmac-secret/PRF extension. That seems ok to me unless someone can tell me that their use cases cannot be solved by these extensions.

For raw signatures,  couple of approaches comes to my mind.
- During Create(), designate the key to be created to allow raw signatures and those keys are not used for authentication. 
  - I am not in favor of changing existing webauthn authentication keys to also have the ability for raw signature, hence at credential creation time, RP has to specify what they want.
  - One issue with this approach is RP cannot be sure of additional benefits of webauthn signature like the guarantee around whether user was verified or not. Which may or may not be OK for an RP.
- During Create(), we have an extension to create a secondary key for raw signature. User authenticates with primary key with usual webauthn semantics and in the extension, secondary key does raw signatures over challenge passed in the extension. 

But again, I would like people on this thread to be crisp about their use case with a user journey and clear user benefit. 

GitHub Notification of comment by akshayku
Please view or discuss this issue at using your GitHub account

Sent via github-notify-ml as configured in

Received on Sunday, 2 May 2021 10:32:48 UTC