On 18/07/2020 00:37, Adam Langley wrote:
> TAG review
> N/A
Any good reason to not request a TAG review?
> /Gecko/: No signal
> /WebKit/: No signal
Have we asked them for feedback?
Thanks for the ping, Adam.
Mozilla doesn’t see why this capability belongs in Web Authentication, nor why something so powerful should be implemented as an extension to something otherwise unrelated, even if they share the same wire protocol. Blink-dev isn’t the correct venue, but I’d like to start a thread in the WG mailing list asking to clarify why this hardware-backed secret derivation scheme is proposed to be implemented in this fashion, as an extension to the web’s authentication signature specification.
Cheers,
J.C.
Mozilla doesn’t see why this capability belongs in Web Authentication, nor why something so powerful should be implemented as an extension to something otherwise unrelated, even if they share the same wire protocol. Blink-dev isn’t the correct venue, but I’d like to start a thread in the WG mailing list asking to clarify why this hardware-backed secret derivation scheme is proposed to be implemented in this fashion, as an extension to the web’s authentication signature specification.
Mozilla has filed an issue upstream at the WebAuthn working group calling to remove this extension from the Web Authentication working draft and instead possibly add it into WebCrypto. As-is, this extension has confusing properties for application developers, and will not be extensible in the future in a way that hardware-backed, origin-bound encryption support deserves.
Link: https://github.com/w3c/webauthn/issues/1462