Hey! I'm taking a look at this feature as a security reviewer and I'm a bit lack of the background information of it.
Would you mind adding some explainer/design doc for it? It would be great if you could also fill in a security-privacy-questionnaire <https://www.w3.org/TR/security-privacy-questionnaire/> for the feature. Thanks a lot! Yifan Luo On Tuesday, August 23, 2022 at 8:47:12 PM UTC+2 Adam Langley wrote: > Contact emailsa...@chromium.org > > Specificationhttps://github.com/w3c/webauthn/pull/1663 > > Summary > > The devicePubKey extension to WebAuthn permits a multi-device credential > to also have a device-bound key. This allows sites to incorporate device > identity information into risk analysis during sign-in. For example, a > multi-device credential that is being presented from an unexpected > geography might be able to skip additional authenticator challenges if the > specific device is already known. Devices create local keys on demand and > sign the same data as with the primary private key. No cross-credential > tracking is possible as the additional device-bound keys are always > specific to a single credential. > > > We wish to prototype an implementation in Chromium so that other members > of the WebAuthn WG can test some interoperable implementations and build > confidence that all the parts hang together correctly. > > Blink componentBlink > <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink> > TAG review statusPending > > Risks > > Interoperability and Compatibility > *Gecko*: No signal > > *WebKit*: No signal > > *Web developers*: No signals > > *Other signals*: at least one security key vendor wishes to experiment > with a Chromium implementation. > > WebView application risks > > WebAuthn is not exposed in WebView and so this change won't be > visible there. > > Debuggability > > If this extension moved to a full implementation, we would likely expose > it via the existing virtual authenticator support in Chromium. There it can > be used with WebDriver-based tests and for manual testing via DevTools. > > Is this feature fully tested by web-platform-tests > <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> > ?Not yet—spec still changing. > > Flag namechrome://flags/#enable-experimental-web-platform-features > > Requires code in //chrome?False > > Estimated milestones > > No milestones specified > > > Link to entry on the Chrome Platform Status > https://chromestatus.com/feature/5011158688333824 > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/9395e588-8510-4e9e-b5f3-f0651b9bc3f0n%40chromium.org.
