- From: Eli Ribble via GitHub <sysbot+gh@w3.org>
- Date: Thu, 26 Jan 2023 22:45:00 +0000
- To: public-webauthn@w3.org
>> signing material is generated on a per-browser, per-origin basis > A passkey / WebAuthn credential is unique per origin and authenticator (some authenticators may be virtual and span multiple devices). Thanks for the additional detail. Just to make sure I understand, an authenticator here could be Touch ID for iOS, or the Authenticator app on a phone, or a USB device, or a retina scanner. I was under the impression that the private key generated during `CredentialsContainer.create()` was generated by the browser and stored by the browser, but that only the complimentary public half was made available to the authenticator for attestation. Is the private half also made available so that virtual authenticators could pass both the private and public keys to another device? >> they could generate a new keypair that has a signature chained to their personal certificate authority. > How would an average end user manage a "personal certificate authority"? Most users don't even use a password manager. Similar arguments were used against things like TLS on the majority of websites. That's a technology for banks! Most users also don't use USB 2-factor devices, yet clearly there's desire to support that within the standard. If we argue against innovation based on history or popularity we make little progress. That said, I think password manager use has grown with time. I think the logical conclusion of a password manager is to eventually became a store of keys. These keys may start out as random strings for filling out web forms, but grow to include WebAuthN credentials. The bag of keys could be totally unrelated cryptographic material. Eventually, though, users will want to group these keys together. Keys shared with coworkers, keys shared with significant others, keys for different persona an individual uses online. It's a small step from grouping keys together to use cross-signed chains within a "password manager". Personally, I self-host my password manager and access it on several devices I own. I'm willing to manage my own certificate authority. My employer also manages a certificate authority, and likely a feature of this nature would be as useful to a large organization as it would be to individuals. I think there's no reason in the long run for users to have to know about "certificate authorities". Users could subscribe to an online business that handles their online identity. It would work similar to how email addresses work now - users register with an email address and as long as they can prove control of that email they can log in. Instead, though, the browser gives a registration system their "persona" which under the covers is a certificate chain rooted to a personal CA managed by the business the user subscribes to. The business provides mobile apps, web apps, notifications, and other parts of the user experience that makes it easy to manage registrations, logins, and identities. It's all just certificates and key material under the covers. -- GitHub Notification of comment by EliRibble Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1844#issuecomment-1405771359 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 26 January 2023 22:45:02 UTC