Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Remote CryptoKeys] Relationship to WebAuthn PRF extension? #116

Open
estark37 opened this issue Apr 5, 2024 · 3 comments
Open

[Remote CryptoKeys] Relationship to WebAuthn PRF extension? #116

estark37 opened this issue Apr 5, 2024 · 3 comments

Comments

@estark37
Copy link

estark37 commented Apr 5, 2024

Is there any relationship between the Remote CryptoKeys proposal and the WebAuthn PRF extension? At first glance, my impression is that the WebAuthn PRF extension could be used for some of the same use cases as Remote CryptoKeys, but:

  • One would need to define some way to make the PRF extension output opaque to JS, but still usable with Web Crypto
  • There might be Remote CryptoKeys use cases in which the key is not and cannot be stored on a WebAuth authenticator (e.g. non-FIDO2 smart cards)...?
@timcappalli
Copy link

One growing challenge with using PRF with passkeys is the blast radius for deleting a passkey, which is really only intended for use for sign in, expands significantly if it also means a user can no longer access/recover E2EE data. This is something we've been discussing in the WebAuthn WG. UX treatment by passkey providers / authenticators could help (e.g. an additional confirmation prompt on delete), but consistency will be a challenge.

RE: JS, and CryptoKey integration, these issues may be helpful:

@jonchoukroun
Copy link

@timcappalli is correct, our proposal intends to support long-lived keys. As for the storage mechanism, our thinking has been that the API should be agnostic on where the key material actually lives - provided it meets the non-exctractable and device-syncing requirements. So if a user wanted to store their private key on a smart card, maybe that's something the API can support?

@jht5945
Copy link

jht5945 commented Aug 20, 2024

WebAuthn PRF only support HMAC keys, usually it is a symmetric encrypt key, Remote CryptoKeys not only support symmetric keys, it will also support PKI(RSA/ECC) for singing and encryption, the real keys may only store in external devices, like TPM or Security Keys (e.g. PIV card or other devices via PKCS#11).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants