Feature Request: Resident Key Management

solokeys / solo-desktop

Desktop app for customizing and updating your Solo.

MIT License

71 stars 14 forks source link

Feature Request: Resident Key Management #18

Open MichaelGrafnetter opened 4 years ago

MichaelGrafnetter commented 4 years ago

It would be cool if it were possible to view/delete resident credentials.

minghuadev commented 4 years ago

An earlier issue 156 on solo seems to agree on not to make that available. See this by @nickray on Mar 28 2019:

IMHO, the resident key interface isn't so well thought out by FIDO: You can't delete a specific key (nor list all resident keys on the device, which makes some sense from a security perspective if you lose the key), so if you run out of space, you have to reset the Solo key and delete all of the resident keys. (One exception, you can replace the key for a given (relying party, user ID) pair.)

And this by @0x0ece on Mar 28 2019:

(I agree list, single delete shouldn't be available for security reasons -- though it's still possible to enumerate providing rpid.)

Does anybody have an example of what other products are doing and how it is used?

MichaelGrafnetter commented 4 years ago

Keys from Yubico and Feitian support this feature, and so does libfido2.

Listing RPs using libfido2 on Windows:

Listing RKs for a RP (webauthn.io), deleting one of them, and checking the result:

RK management makes a lot of sense to me, especially in the following scenarios:

I would like my secondary Solo Key to be registered with all the accounts with which my primary one is registered. Have I missed a RP or an account?
I would like to replace my old key with a new one that has a better form factor. With what services have I registered my original key?
My key contains many test accounts, but also a couple of production ones. I therefore need to perform selective deletion.

MichaelGrafnetter commented 4 years ago

BTW, the authenticatorCredentialManagement feature is part of the CTAP standard. Specifically, RC deletion is implemented in libfido2 through the fido_credman_del_dev_rk function.

And here is Yubico's accouncement of the Credential Management feature support.

nickray commented 4 years ago

Yes, that's an old comment of mine. Meanwhile, CTAP v2.1 specifies RK management.

It is available if you update firmware to v4 (https://github.com/solokeys/solo/releases/tag/4.0.0), which is not yet the default for sold keys, as we'd have to re-certify with the FIDO Alliance.

MichaelGrafnetter commented 4 years ago

Thx, @nickray . I have just tested the credential management feature through libfido2 with my SoloKey with v4 firmware and it really works seamlessly. I thus wonder if it could please be exposed through solo-desktop, to make the RK management even easier.

minghuadev commented 4 years ago

Thanks for the information. I see the commits are tracked by https://github.com/solokeys/solo/issues/314 .