Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature Request: Resident Key Management #18

Open
MichaelGrafnetter opened this issue Aug 11, 2020 · 6 comments
Open

Feature Request: Resident Key Management #18

MichaelGrafnetter opened this issue Aug 11, 2020 · 6 comments

Comments

@MichaelGrafnetter
Copy link

It would be cool if it were possible to view/delete resident credentials.
@minghuadev
Copy link

minghuadev commented Aug 23, 2020
edited
Loading

An earlier issue 156 on solo seems to agree on not to make that available. See this by @nickray on Mar 28 2019:

IMHO, the resident key interface isn't so well thought out by FIDO: You can't delete a specific key (nor list all resident keys on the device, which makes some sense from a security perspective if you lose the key), so if you run out of space, you have to reset the Solo key and delete all of the resident keys. (One exception, you can replace the key for a given (relying party, user ID) pair.)

And this by @0x0ece on Mar 28 2019:

(I agree list, single delete shouldn't be available for security reasons -- though it's still possible to enumerate providing rpid.)

Does anybody have an example of what other products are doing and how it is used?

@MichaelGrafnetter
Copy link
Author

Keys from Yubico and Feitian support this feature, and so does libfido2.

Listing RPs using libfido2 on Windows:
image

Listing RKs for a RP (webauthn.io), deleting one of them, and checking the result:
image

RK management makes a lot of sense to me, especially in the following scenarios:

  • I would like my secondary Solo Key to be registered with all the accounts with which my primary one is registered. Have I missed a RP or an account?
  • I would like to replace my old key with a new one that has a better form factor. With what services have I registered my original key?
  • My key contains many test accounts, but also a couple of production ones. I therefore need to perform selective deletion.

@MichaelGrafnetter
Copy link
Author

BTW, the authenticatorCredentialManagement feature is part of the CTAP standard. Specifically, RC deletion is implemented in libfido2 through the fido_credman_del_dev_rk function.

And here is Yubico's accouncement of the Credential Management feature support.

@nickray
Copy link
Member

nickray commented Aug 23, 2020
edited
Loading

Yes, that's an old comment of mine. Meanwhile, CTAP v2.1 specifies RK management.

It is available if you update firmware to v4 (https://github.com/solokeys/solo/releases/tag/4.0.0), which is not yet the default for sold keys, as we'd have to re-certify with the FIDO Alliance.

@MichaelGrafnetter
Copy link
Author

Thx, @nickray . I have just tested the credential management feature through libfido2 with my SoloKey with v4 firmware and it really works seamlessly.
I thus wonder if it could please be exposed through solo-desktop, to make the RK management even easier.

@minghuadev
Copy link

Thanks for the information. I see the commits are tracked by solokeys/solo1#314 .

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@nickray @minghuadev @MichaelGrafnetter