Re: [webauthn] PROPOSAL: Add support for general (hardware backed) cryptographic signatures and key exchange (#1608)

@Firstyear Are these enough different though? The hash is just some data to be signed. It's somewhat more constrained given the output format of the hash, but it's still variable data. It might actually be easier to implement general signature creation, for which a special case is signing a hash.

As for security concerns around general signatures, there are almost certainly well established best practices that mitigate them. The features I'm describing are standard for mobile apps (both iOS and Android) and have been for many years. The goal is really just to mirror the same functionality for web apps. 

One simple solution would be to create multiple keys and use one for authentication and another for general signatures. I doubt this is necessary though because, as far as I know, no such scoping is required for the hardware backed keys mobile apps use.

GitHub Notification of comment by certainlyNotHeisenberg
Please view or discuss this issue at using your GitHub account

Sent via github-notify-ml as configured in

Received on Wednesday, 5 May 2021 00:13:23 UTC