- From: John Bradley via GitHub <sysbot+gh@w3.org>
- Date: Wed, 06 Jul 2022 19:56:14 +0000
- To: public-webauthn@w3.org
@timcappalli sorry if I was impercise. The attestation provides a lookup to MDS metadata that states the keystorrage properties of credentials that are returned with BE 0. If BE is 1 then the key storage is effectively unknown. In the BE 0 case, the credential may be wrapped by a key stored in the SE and encrypted into the credentialID with a key of equal or greater strength than the signing key for certified authenticators. Authenticators using TPM like Windows or other small secure elements may also wrap credentials and store them on disk with appropriate encryotion as long as the wrapping key itself is in secure storage. Unless the RP knows the exact architecture of the authenticator no flag like that can tell you if the key is stored wrapped at some point on some external storage. It is more complicated than just if it is in the credentilsID. -- GitHub Notification of comment by ve7jtb Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1761#issuecomment-1176640822 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 6 July 2022 19:56:16 UTC