Possibility of using WebUSB to interact with age keys stored on a YubiKey?

[mirshko]

Subject says it all really, but wondering if it would be possible to decrypt using the private key stored on a yubikey at all, or if this functionality wouldn't really be possible in-browser.

[FiloSottile]

This would be nice, but my understanding is that smart cards (presumably all of CCID/OpenPGP/PIV/CTAP2) are not accessible via WebUSB like all other device classes handled natively by the OS. In fact, there was a big vulnerability because initially it was possible to use WebUSB to talk directly to FIDO2 tokens and bypass origin binding in WebAuthN.

What is probably possible is using the WebAuthN prf extension (explainer) to interoperate with age-plugin-fido2-hmac. (Note that's not age-plugin-yubikey and only supports symmetric encryption.) I'd be happy to see a PoC of that, and you could consider opening an issue in age-plugin-fido2-hmac's tracker.

There is also a Web Smart Card API proposal. It's possible we'd be able to use that, but I am not sure how they plan to handle the security issues they describe.

[olastor]

What is probably possible is using the WebAuthN prf extension (explainer) to interoperate with age-plugin-fido2-hmac. (Note that's not age-plugin-yubikey and only supports symmetric encryption.) I'd be happy to see a PoC of that, and you could consider opening an issue in age-plugin-fido2-hmac's tracker.

Just saw this comment. This is quite exciting as my latest understanding was that the hmac-secret extension has no browser support at all. I created an issue to look into this.