- From: Daniel via GitHub <sysbot+gh@w3.org>
- Date: Fri, 07 May 2021 15:11:31 +0000
- To: public-webauthn@w3.org
cybercent has just created a new issue for https://github.com/w3c/webauthn:
== Support for raw cryptographic signatures ==
## Issue To Be Solved
Allow raw cryptographic signatures using Webauthn.
## Suggest A Solution
Allow user to request raw signature of the RP challenge from the hardware key.
Add a new extension: `rawSignature`:
```js
var options = {
// The challenge is produced by the server; see the Security Considerations
challenge: new Uint8Array([8,18,33 /* 29 more random bytes generated by the server */]),
timeout: 120000, // 2 minutes
allowCredentials: [acceptableCredential1, acceptableCredential2],
extensions: { 'rawSignature': true }
};
```
```js
PublicKeyCredential {
id: 'ADSUllKQmbqdGtpu4sjseh4cg2TxSvrbcHDTBsv4NSSX9...',
rawId: ArrayBuffer(59),
rawSignature: "the raw signature of the challenge"
..
}
```
## Context
With the rise of web applications that use blockchains as a backend, instead of a centralized database,
users are required to authenticate to these websites using a private key.
The private key is used to create a raw signature that is passed along by the website to the underlying blockchain for authentication.
There is no easy way for a user to use a private key in a browser, so websites require users to store their private keys in the browser cache, which is highly insecure and leads to data loss.
Example:
<img width="362" alt="Screenshot 2021-05-07 at 15 35 06" src="https://user-images.githubusercontent.com/195806/117458360-83496c80-af4a-11eb-90b8-1c9a8e759e80.png">
Website: https://www.sign-art.app
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1611 using your GitHub account
--
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Friday, 7 May 2021 15:11:33 UTC