[shivak]

I hoped WebAuthn would allow such general-purpose use of security devices. Unfortunately, in the spec: "To save bandwidth and processing requirements on the authenticator, the client hashes the client data and sends only the result to the authenticator. The authenticator signs over the combination of the hash of the serialized client data, and its own authenticator data." [1]

So, in the foreseeable future on the web, the devices are useful just for authentication.

[1] https://w3c.github.io/webauthn/

[tptacek]

You understand that in addition to simplifying the protocol, confining it to authentication helps, somewhat, keep Webauthn from becoming essentially a hardware cookie.

[shivak]

I think that’s mitigated by the physical button one has to press every time something is signed.

I’m not sure if the restriction to authentication has substantially simplified the WebAuthn API. The restriction is caused by a speed optimization, not design simplification. If the actual payload was sent to the authenticator, rather than just its hash due to bandwidth limitations, then it seems like the API could be used for signing messages, not just authentication. I do agree that the user interfaces surrounding the APIs will be simpler due to the focus on authentication.