W3C home > Mailing lists > Public > public-webauthn@w3.org > May 2021

Re: [webauthn] PROPOSAL: Add support for general (hardware backed) cryptographic signatures and key exchange (#1608)

From: Firstyear via GitHub <sysbot+gh@w3.org>
Date: Wed, 05 May 2021 09:34:29 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-832551276-1620207268-sysbot+gh@w3.org>
> @Firstyear Are these enough different though? The hash is just some data to be signed. It's somewhat more constrained given the output format of the hash, but it's still variable data. It might actually be easier to implement general signature creation, for which a special case is signing a hash.

There are security concerns about key-usage from webauthn for arbitrary data, so having the hash as an extension while still requiring the nonce/challenge would help make this an interface that "can not be held incorrectly". 

Additionally, some applications have cryptographic requirements to what signatures they will accept, which is why signatures vs verification should be seperate. 

GitHub Notification of comment by Firstyear
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1608#issuecomment-832551276 using your GitHub account

Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 5 May 2021 09:34:31 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:43 UTC