Support for authenticators providing more than one key

[agl]

(Filed ahead of L3 charter renewal to highlight things that we are thinking about for L3 so that the charter does not preclude it.)

We may wish authenticators to be able to provide a second public key / signature, likely in an extension, where the keys have different security properties.

UPDATE: see issue #1658 for a concrete design

[sbweeden]

So many things come to mind with a pattern like this, such as:

• Would the user be aware they are registering two keypairs - and would they be so informed in the user agent UI?
• Would this extension also apply to an assertion ceremony such that keypair replacement / rollover is possible, e.g. including to a newer algorithm? If so, would auto-revocation of the old key be part of the semantics that an RP should implement?

I realise early days, but a suggestion for this kind of extension has boundless possibilities.

[emlun]

Sounds very similar to parts of our recovery extension proposal in #1425, this could definitely be useful for a variety of things.

[nicksteele]

This sounds very similar to a couple ideas that have been floating around FIDO and W3C space, the recovery extension as emil mentioned and I could also see this being used for enterprise attestation purposes.

[Firstyear]

I think that it's worth having a concrete design around the intended user experience and authentication flows here so that a discussion can be had. At the moment it's not clear what this solves.

[equalsJeffH]

See also @akshayku's strongly related issue #1640.

[agl]

(Replaced by #1658.)