Webauthn delegation

If NNS is delegating a principal to a webauthn signer, can that webauthn then delegate to another signer and enter itself into the delegation chain?

If so, what would this look like?

Use case is that we want to auth an NNS based principal to access its NNS neurons on a different url(full access…not a hot key.)

Similar question, but around how one might forward a delegation between different parts of an application @frederikrothenberger

Hi @skilesare, hi @icme

Creating additional delegations is possible, yes. If I’m not mistaken, the limit is ~10 delegation levels that can be used at most.

If so, what would this look like?

So in the current model that is used with II, we have one delegation and the root is the II canister.
So:

1. II canister signs delegation on session key
2. Session key signs canister call envelopes (and includes the delegation as specified here in sender_delegation), to get the identity of the II issued public key.

Now, to add additional delegation levels, the scenario could look like this:

1. II canister signs delegation on some key A
2. Key A signs a delegation on Key B
3. Key B signs canister call envelopes (and includes both delegations issued in step 1 and 2 as specified here in sender_delegation), to get the identity of the II issued public key. The caller will still be the II issued public key from step 1.

Note that in step two there is an opportunity to further restrict the permissions associated with the delegation. In particular, the delegation from key A to B might have a shorter expiration time and / or a more restricted set of allowed targets.

@icme: In particular key A and B might belong to different parts of the application, where A might be some sort of session management system and B a consumer that only requires some limited access to certain things.

Does this answer your questions?

I might have a few questions later, but thanks @frederikrothenberger, this is great for now!