RE: API consumer question: How do we recover Credential? from Vijay Bharadwaj on 2016-07-18 (public-webauthn@w3.org from July 2016)

From: Vijay Bharadwaj <vijaybh@microsoft.com>
Date: Mon, 18 Jul 2016 00:52:29 +0000
To: "J.C. Jones" <jc@mozilla.com>
CC: W3C WebAuthn WG <public-webauthn@w3.org>
Message-ID: <a1a65ba1445a4e64b0996afd1ac44a03@microsoft.com>

Could use the AAGUID in conjunction with metadata service. Or we could add a flag to be returned by authenticator at makeCredential time.

From: J.C. Jones [mailto:jc@mozilla.com]
Sent: Sunday, July 17, 2016 5:40 AM
To: Vijay Bharadwaj <vijaybh@microsoft.com>
Cc: W3C WebAuthn WG <public-webauthn@w3.org>
Subject: Re: API consumer question: How do we recover Credential?

Rolling it into #60 makes sense to me.

On Fri, Jul 15, 2016 at 11:18 PM, Vijay Bharadwaj <vijaybh@microsoft.com<mailto:vijaybh@microsoft.com>> wrote:
So couldn’t an RP tell this from the attestations? It would know which of its credentials will or will not work without the optional argument, and could do the UI accordingly.

There's nothing to my knowledge in the attestation certificate to identify how an authenticator functions; it would be up to the RP to define something using out-of-band knowledge, wouldn't it?
Or you could define a heuristic that says, if a Credential's id field is very long, then it's probably an authenticator which doesn't remember keys.
That's all that occurs to me, anyway!
J.C.

Received on Monday, 18 July 2016 00:53:21 UTC