-
Notifications
You must be signed in to change notification settings - Fork 180
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for raw cryptographic signatures #1611
Comments
Adding my support for this. I just posted a similar proposal in WebCrypto issues just FYI (see here). |
This appears to be a duplicate of #1595 and #1608. A raw signature provides integrity but does not provide the guarantees necessary for authentication. The purpose of the public key credentials is exclusively about providing information about the associated authentication event handled by the hardware. It is highly unlikely the same key pair would be allowed to be used to sign arbitrary messages, as this would allow interception of requests and forgery of authentication responses. Putting this aside, authenticator implementations today would also not support this extension, leaving compatibility to a subset of future platform versions and hardware - possibly subsetted further by the tendency of such distributed systems to use more exotic cryptography primitives. In addition, there are no guarantees about the permanence of Web Authentication public key credentials by authenticators. A platform authenticator may theoretically be backed by local storage, with the same removal policy as a non-exportable WebCrypto key in javascript. |
signatures are not only about authentication, and failing to provide them means people will continue to roll their own insecure solutions. since the purpose of this standard is to prevent that very thing, this decision seems quite shortsighted. |
@earonesty This group is related to defining messages and APIs to support a specific protocol for web authentication, not generalized cryptography. The WebCrypto work (in particular, proposals against w3c/webcrypto#263 mentioned above) is more appropriate for generalized cryptographic operations. |
Issue To Be Solved
Allow raw cryptographic signatures using Webauthn.
Suggest A Solution
Allow user to request raw signature of the RP challenge from the hardware key.
Add a new extension:
rawSignature
:The assertion object returned from the
get()
call:Context
With the rise of web applications that use blockchains as a backend, instead of a centralized database,
users are required to authenticate to these websites using a private key.
The private key is used to create a raw signature that is passed along by the website to the underlying blockchain for authentication.
There is no easy way for a user to use a private key in a browser, so websites require users to store their private keys in the browser cache, which is highly insecure and leads to data loss.
Example:
Website: https://www.sign-art.app
The text was updated successfully, but these errors were encountered: