On Mon, May 1, 2023 at 12:47 PM Nick Steele <nick.ste...@agilebits.com> wrote:
> 1 Password is also supportive of this extension being added. Being able to > encrypt data alongside a credential would be useful to us and our users. > > I'd like some clarification on the contextual string being provided for > HMAC hashing. What is the expected context input being provided? > See https://w3c.github.io/webauthn/#prf-extension: > Let salt1 be the value of SHA-256(UTF8Encode("WebAuthn PRF") || 0x00 || eval <https://w3c.github.io/webauthn/#dom-authenticationextensionsprfinputs-eval> .first <https://w3c.github.io/webauthn/#dom-authenticationextensionsprfvalues-first> ). So any applications with more direct access to security keys have to opt-into being compatible with the Web by picking salts with known pre-images via that function. Existing uses do not get abruptly exposed to the Web via this extension. Cheers AGL -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL9PXLyZk3rf0irSLa%2BOUApM_rHfuKijg1OA73nAoseZ0KPnRQ%40mail.gmail.com.
