Re: [webauthn] Can the private keys be used for other cryptographic operations? (#1595)

@Firstyear and @akshayku thank you for your answers.

I understand the use case for Webauthn, and why device data was used in signatures.
I'm grateful for all your work in bringing this to browsers in an effort to keep everyone safe.

The requested feature would keep safe not only people that use centralized services but also people who use decentralized services.

In a decentralized service, a user registers his public key with the service and all future interactions rely on the user signing data with the matching private key. 

As a user, I browse to `example.com` which is a decentralized application.
To use this service I need to have a public/private key pair.
Example.com gives me some choices on how to manage my private key:
- a) generate the keys for me in the browser (promise not to steal the PK and hopefully no other extensions will), display the seed for backup purposes, and store the PK encrypted using my password in the local storage
- b) install a browser extension that does the same thing in an `iframe`
- c) install a mobile application that does the same thing, except it stores the key on the phone

When I want to authenticate to the service I need to sign some data using the PK, so I enter my password to:
- a) decrypt private key from local storage
- b) unlock browser extension that has the PK
- c) unlock phone app that has the PK

The service will then sign the data needed with my PK.

With the requested feature, the service can ask the user to sign using a security key, there are no passwords and the PK would be stored securely on the key.













-- 
GitHub Notification of comment by cybercent
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1595#issuecomment-831572141 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Monday, 3 May 2021 22:21:47 UTC