CACAOv2/v3 mapping; have been studying these lately and playing with WASM tooling that could normalize between the two
Chunny: v2 describes AuthZ well;
WIP tooling PoC: WASM library that handles UCANs (and WebAuthN values) as JWTs and types CACAOs in v3
OED: A spec would be nice on exactly how you map WebAuthN values to JWTs for this...
Chunny: hacking so far:
alg ==> webAuthN
turning the WebAuthN "into a JWK"; OED: but isn't it a pile of CBOR? Chunny: Actually we're just turning the header and body strings into a digest and signing over them JWT-style; didn't implement multidid way yet, still figuring out how to align diff community styles
OED: we've been prototyping WebAuthN with CACAOv2; remove issuer and signature and stick the remaining payload into IPLD, grab the CID of that, and sign over THAT
Chunny: challenge is already a hash...
OED: A .CAR file full of IPLD examples would also be nice!
OED: free-standing CAR library broken out of IROH is gonna be a game-changer
Philip Kruger contrib
OED: we have aPR open for JS-DID monorepo that adds support for SIWE session keys to rely on WebCrypto (non-extractible) keys instead of ephemeral ones that live in browser memory (less secure)
chunny: the signer passed in to this tooling expects a closure (a JS shim could make webauthn that signer...)
oed: we're thinking of making the did:key in aud the non-extractible one, so that the browser holds the
webcrypto create-keys API has a "non-extractible" flag which isolates them not only from DOM but also from extensions (Aaron: TPM, in theory?); those keys persist in indexDB even though they're non-extractible
Next Steps
Chunny: TS library coming out soon that lets WebAuthN take JWTs and sign UCANs, SignSIWE --> UCAN that is a CACAOv3
9 Sept
PRs to refine/move to close
Ongoing issues/topics
webAuthNmultididway yet, still figuring out how to align diff community stylesaudthe non-extractible one, so that the browser holds theNext Steps