[webauthn] Individual Certificate Authority for credential management and recovery (#1844) from Eli Ribble via GitHub on 2023-01-26 (public-webauthn@w3.org from January 2023)

From: Eli Ribble via GitHub <sysbot+gh@w3.org>
Date: Thu, 26 Jan 2023 17:26:19 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-1558503409-1674753977-sysbot+gh@w3.org>

EliRibble has just created a new issue for https://github.com/w3c/webauthn:

== Individual Certificate Authority for credential management and recovery ==
## Description

My current understanding of WebAuthn is that signing material is generated on a per-browser, per-origin basis. This puts the onus for handling key recovery on the user with a scheme like [webauthn-recovery-extension](https://github.com/Yubico/webauthn-recovery-extension) using backup keys or on the RP themselves and designing a backup flow into the application. I am not aware of a current WebAuthn mechanism for handling multi-device credentials. I'd like to suggest one.

It seems to me that the problem of multi-device credentials is isomorphic to the problem of multi-server credentials in TLS. We traditionally think of certificate authorities related to cryptographically proving that a server represents a particular entity we would like to communicate with. We could turn it around and individuals could have root certificate authorities and intermediate certificates and sign WebAuthn keypairs on registration. This signature could be included through `CredentialsContainer.create()`. In the case where the per-site keys are lost or the user wishes to authorize a second device to the same RP they could generate a new keypair that has a signature chained to their personal certificate authority. This would identify the user as the same entity.

This also adds the ability to prove that a given user is the same across RPs, if that's what the user wants. Think of this sort of like what [Keybase](https://keybase.io) used to do in providing a mechanism to prove that an email address, Twitter account, and GitHub user are all the same person. Or at least controlled by an entity with access to the same keys.

Thoughts?

## Related Links

* [webauthn-recovery-extension](https://github.com/Yubico/webauthn-recovery-extension)
* [FIDO use cases whitepaper](https://media.fidoalliance.org/wp-content/uploads/2022/03/How-FIDO-Addresses-a-Full-Range-of-Use-Cases-March24.pdf)

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1844 using your GitHub account

--
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Thursday, 26 January 2023 17:26:20 UTC