W3C home > Mailing lists > Public > public-webauthn@w3.org > May 2021

Re: [webauthn] PROPOSAL: Add support for general (hardware backed) cryptographic signatures and key exchange (#1608)

From: certainlyNotHeisenberg via GitHub <sysbot+gh@w3.org>
Date: Wed, 05 May 2021 00:13:22 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-832335406-1620173600-sysbot+gh@w3.org>
@Firstyear Are these enough different though? The hash is just some data to be signed. It's somewhat more constrained given the output format of the hash, but it's still variable data. It might actually be easier to implement general signature creation, for which a special case is signing a hash.

As for security concerns around general signatures, there are almost certainly well established best practices that mitigate them. The features I'm describing are standard for mobile apps (both iOS and Android) and have been for many years. The goal is really just to mirror the same functionality for web apps. 

One simple solution would be to create multiple keys and use one for authentication and another for general signatures. I doubt this is necessary though because, as far as I know, no such scoping is required for the hardware backed keys mobile apps use.

GitHub Notification of comment by certainlyNotHeisenberg
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1608#issuecomment-832335406 using your GitHub account

Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 5 May 2021 00:13:23 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:43 UTC