webauthn icon indicating copy to clipboard operation
webauthn copied to clipboard

Published 20 hours ago verified publisher icon w3c

Public Key Credential Source and Extensions

Open timcappalli opened this issue 2 years ago • 2 comments

The Public Key Credential Source is currently defined as containing:

  • type
  • id
  • privateKey
  • rpId
  • userhandle
  • otherUI

The definition does not currently say anything about extension data, but we know that many authenticators include extension data such as hmac-secret, large blob, large blob key, credProtect, etc.

~~L3 introduces the Device Public Key (DPK) which must be device bound (cannot be backed up) and is not part of the credential itself, so it must not be part of the Public Key Credential Source.~~

Do we need to be more explicit about this in the spec?

Should things like hmac-secret/prf be backed up as part of the Public Key Credential Source?

/cc @ve7jtb @akshayku

timcappalli avatar Apr 07 '22 18:04 timcappalli

We haven't talked about this one in a while. I think we have two options:

  1. Change the definition of public key credential source to include applicable extensions
  2. Change the wording around backup eligibility to include PKCS + applicable extensions

Number 2 seems least disruptive to the spec text. Thoughts @emlun @ve7jtb @agl @akshayku?

timcappalli avatar Jul 11 '23 19:07 timcappalli