[webauthn] spec is missing baseline posture that credential source is bound to a particular authenticator (#1122) from =JeffH via GitHub on 2018-12-15 (public-webauthn@w3.org from December 2018)

From: =JeffH via GitHub <sysbot+gh@w3.org>
Date: Sat, 15 Dec 2018 18:41:25 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-391401850-1544899283-sysbot+gh@w3.org>

equalsJeffH has just created a new issue for https://github.com/w3c/webauthn:

== spec is missing baseline posture that credential source is bound to a particular authenticator ==
A reader asks:

> Just a quick question on WebAuthn. My impression has always
> been that the private key of a generated credential should never
> leave the Authenticator. 

> But a casual read of w3c.github.io/webauthn/
> doesn't give me any such language. There's "user deletes the
> credential from the device" under Decommissioning, implicating that
> the credential can only be on one device, but I fail to find anything
> explicit on this topic. Am I missing something or am I mistaken about
> credential export and import?

My brief answer: 

Yes, that's the baseline posture. 

Though, it is modulo some form of secure credentials migration/backup/recovery means, which we have not figured out yet and is a work in early progress.  e.g. see issue #931  

Yes, the spec is arguably missing something in terms of describing this and perhaps pointing to appropriate FIDO material. 






Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1122 using your GitHub account

Received on Saturday, 15 December 2018 18:41:26 UTC