W3C home > Mailing lists > Public > public-webauthn@w3.org > May 2021

Re: [webauthn] PROPOSAL: Add support for general (hardware backed) cryptographic signatures and key exchange (#1608)

From: certainlyNotHeisenberg via GitHub <sysbot+gh@w3.org>
Date: Tue, 04 May 2021 22:46:26 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-832296346-1620168385-sysbot+gh@w3.org>
@akshayku My mistake. I was implicitly assuming that key exchange like ECDH would be included also, since that was part of the discussion in the other issue thread I linked to. But I forgot to add that explicity here. I changed the title and text of the proposal to reflect this.

For extra clarity, what I mistyped as "symmetric encryption protected by asymmetric signing" I meant to be "symmetric encryption protected by asymmetric _encryption_". In this model, data is encrypted with a symmetric key, which is itself encrypted with an asymmetric key, thereby achieving the usability of symmetric and the security of asymmetric. This is already standard for mobile apps (e.g. see the iOS documentation [here](https://developer.apple.com/documentation/security/certificate_key_and_trust_services/keys/using_keys_for_encryption)), since mobile OSs provide key exchange like ECDH. In this way, even though the iOS Secure Enclave and Android Secure Element only support ECC keys, which have no direct encryption functionality, it's possible to use them for asymmetric backed encryption. 

So, this proposal would help achieve feature parity between mobile and web apps around cryptography, and it should enable the use cases mentioned above.

GitHub Notification of comment by certainlyNotHeisenberg
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1608#issuecomment-832296346 using your GitHub account

Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Tuesday, 4 May 2021 22:46:28 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:43 UTC