Re: [webauthn] attachment is only explicitly used in create() from Christiaan Brand via GitHub on 2017-11-21 (public-webauthn@w3.org from November 2017)

From: Christiaan Brand via GitHub <sysbot+gh@w3.org>
Date: Tue, 21 Nov 2017 04:14:32 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-345911857-1511237671-sysbot+gh@w3.org>

I vote (a) and I agree with @emlun that this doesn’t work for resident credentials, but it doesn’t need to. This is to solve for a typical reauth scenario where the RP only want to register a credential on a local “platform” authenticator since part of the security model is the fact that the authenticator is built-in (ie. it’s really used as a 2nd factor; the cookie identifying the platform is the first factor). In this case the RP will always have the credentialID since it has a handle to the device (via a session cookie, etc) and can use the allowList.

-- 
GitHub Notification of comment by christiaanbrand
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/420#issuecomment-345911857 using your GitHub account

Received on Tuesday, 21 November 2017 04:14:36 UTC