support for general (hardware backed) cryptographic signatures and key exchange

[burghard-britzke-drv]

As expressed in https://github.com/w3c/webauthn/issues/1608 there is a need for a standard support of cryptographic signatures with a hardware support (e. g. crypto-tokens or smart cards). The W3C WebAuthn WG decided not to support these needs inside WebAuthn framework. I suggest to initiate a new WG on the topic WebSigning and partition the frameworks in such a way that parts of the W3C WebAuthn framework can be reused. May be these common parts are already bundled in W3C WebCrypto.

[ghost]

Adding my support for this!

I am a bit wary of a whole new working group/spec though. My guess is it'll take much longer to achieve browser adoption than if this new functionality is added to a spec they've already adopted, like WebAuthn or WebCrypto. I posted that issue in the WebAuthn GitHub issues and, to this end, made a similar post in the WebCrypto one (here). I understand why the WebAuthn group decided against general signatures, since they go beyond just authentication. Maybe WebCrytpo is a better bet.

In a simple sense, this proposal is "WebAuthn + WebCrypto", i.e. the hardware access WebAuthn standardizes with the general crytpographic signatures (and key exchange?) WebCrypto standardizes. Wish we could just combine the specs!

[dcow]

+1. I'd like to see encryption and decryption support (if that's not already implied) so e.g. a user's soft keys for some application could be encrypted at rest using an HSM backed key.