#806: WebAuthn PRF extension

Visit on Github.

Opened Jan 17, 2023

I'm requesting a TAG review of the WebAuthn PRF extension

This extension lets WebAuthn assertions also contain secret keys for the decryption of data. With it, the confidentiality of data can be protected by a security key.

  • Explainer: https://github.com/w3c/webauthn/wiki/Explainer:-PRF-extension
  • Specification URL: https://w3c.github.io/webauthn/#prf-extension
  • Tests: wpt/webauthn/createcredential-prf.https.html and wpt/webauthn/getcredential-prf.https.html
  • Security and Privacy self-review²:
    • "What information might this feature expose to Web sites or other parties, and for what purposes is that exposure necessary?" This feature exposes randomly generated secret keys to a site for the site's use.
    • "How do the features in your specification deal with personal information, personally-identifiable information (PII), or information derived from them?" This feature does not allow a site to store data as the output is always generated by the authenticator.
    • "Do the features in your specification introduce new state for an origin that persists across browsing sessions?" Yes, new state is added to the WebAuthn credential. Since the purpose of a WebAuthn credential is to sign-in, they perforce have to persist across sessions. This is ameliorated by having significant user-agent UI before they can be exercised.
    • "Do the features in your specification expose information about the underlying platform to origins?" This feature exposes whether or not a security key supports this extension, which is the minimum practical amount of information to expose to make the feature useful.
  • Primary contacts (and their relationship to the specification):
    • Adam Langley (agl), Google
    • Tony Nadalin (nadalin), WebAuthn chair.
  • Organization(s)/project(s) driving the specification: Microsoft, Google.
  • External status/issue trackers for this specification (publicly visible, e.g. Chrome Status): https://chromestatus.com/feature/5138422207348736

Further details:

  • [✓] I have reviewed the TAG's Web Platform Design Principles
  • Relevant time constraints or deadlines: we would like the implementation to see the light of day in a reasonable time-frame, but there are no critical external dependencies.
  • The group where the work on this specification is currently being done: WebAuthn WG
  • Major unresolved issues with or opposition to this specification: Mozilla objected to this extension in WebAuthn level two because (I believe) of charter scope. I understand that they no longer object since WebAuthn has been rechartered.

We'd prefer the TAG provide feedback as (please delete all but the desired option):

💬 leave review feedback as a comment in this issue and @-notify [github usernames]

Discussions