- From: John Bradley <jbradley@yubico.com>
- Date: Mon, 18 Jul 2022 11:59:58 -0400
- To: Firstyear via GitHub <sysbot+gh@w3.org>
- Cc: public-webauthn@w3.org
- Message-ID: <CAEY7Pj_i5U8ju9aj8_4Ro3eJgL=s8ToSTEy=n_w7jvmkBrEUbw@mail.gmail.com>
Exportable, and exportable under wrap by a key that never leaves the secure element are two different things. Aside from non discoverable keys that store the wrapped key in the credentialID many if not most implementations of Discoverable credentials also export credential information under wrap for off-device storage. Current Yubikeys don't do that but they are the exception. Many devices have TPM or secure elements with no or limited storage where the common practice is to have encrypted credential material stored outside of a secure element. The solution is to educate people that wrapped keys properly implemented are not at increased risk of compromise vs discoverable credentials, not to implement another flag that is going to confuse RP. There are security differences with keys that can be exported under shared wrapping leys so they can be restored on different devices and we do have a bit flag for that in the current WebAuthn draft. On Mon, Jul 18, 2022 at 12:10 AM Firstyear via GitHub <sysbot+gh@w3.org> wrote: > The latter. > > -- > GitHub Notification of comment by Firstyear > Please view or discuss this issue at > https://github.com/w3c/webauthn/issues/1761#issuecomment-1186741864 using > your GitHub account > > > -- > Sent via github-notify-ml as configured in > https://github.com/w3c/github-notify-ml-config > >
Received on Monday, 18 July 2022 16:00:20 UTC