On Sat, Apr 29, 2023 at 12:05 AM 'Adam Langley' via blink-dev < blink-dev@chromium.org> wrote:
> Contact emails...@chromium.org > > Explainerhttps://github.com/w3c/webauthn/wiki/Explainer:-PRF-extension > > Specificationhttps://w3c.github.io/webauthn/#prf-extension > > Summary > > The PRF extension to WebAuthn allows a pseudo-random function (i.e. HMAC), > stored on the security key, to be evaluated when getting a credential. This > can be used to derive secret keys used to encrypt user data. > > Blink componentBlink>WebAuthentication > <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3EWebAuthentication> > > Search tagswebauthn <https://chromestatus.com/features#tags:webauthn>, prf > <https://chromestatus.com/features#tags:prf>, hmac > <https://chromestatus.com/features#tags:hmac> > > TAG reviewhttps://github.com/w3ctag/design-reviews/issues/806 > > TAG review statusComplete > > Risks > > Interoperability and Compatibility > > Support on Windows depends on having a recent version of Windows. Not > every security key supports the underlying hmac_secret functionality. Some > passkey providers on Android 14 may not support it. > > *Gecko*: No signal > > *WebKit*: No signal > Have we asked? If not, can you file for positions according to https://bit.ly/blink-signals? > > *Web developers*: We've had several requests to enable this. Hopefully > some will reply to this thread in the coming week. > > Security > > Some platforms may have assumed that the web would not ever be able to > access the HMAC oracles in security keys. Therefore the HMAC inputs are > hashed with a context string before being used, thus preventing sites from > evaluating any HMAC input from the native domain. > > WebView application risks > > WebAuthn is not currently supported in WebViews. If that changes, this > feature isn't expected to cause any specific difficulties. It remains the > case that apps need to be authorized by assetlinks.json to access WebAuthn > credentials. > > DebuggabilityThis feature is supported by Chromium's simulated security > key and can be used by Web Driver tests and, later, could be exposed in > DevTools. > > Will this feature be supported on all six Blink platforms (Windows, Mac, > Linux, Chrome OS, Android, and Android WebView)?Yes, although support for > WebAuthn in WebViews in general is still in the future. > > Is this feature fully tested by web-platform-tests > <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> > ?Yes > > Flag namechrome://flags/#enable-experimental-web-platform-features, > although it'll have a separate killswitch flag when default enabled. > > Requires code in //chrome?False > > Tracking bughttps://bugs.chromium.org/p/chromium/issues/detail?id=1106961 > > Link to entry on the Chrome Platform Status > https://chromestatus.com/feature/5138422207348736 > > Links to previous Intent discussionsIntent to prototype: > https://groups.google.com/a/chromium.org/g/blink-dev/c/t_9QdJ7hcls/m/CAAOGBIVBgAJ > > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to blink-dev+unsubscr...@chromium.org. > To view this discussion on the web visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL9PXLwSTfuePtL9d2BrF%2BPjXkipxY-f4TPCDMHpv5ESwqA1uQ%40mail.gmail.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL9PXLwSTfuePtL9d2BrF%2BPjXkipxY-f4TPCDMHpv5ESwqA1uQ%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfU5nkXo7e7E5ChcNusm%2Boy2i3jH%2Bg2HZMk1jjH2cxyLUA%40mail.gmail.com.