- From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
- Date: Thu, 28 Jun 2018 15:52:21 +0000
- To: public-webauthn@w3.org
Thanks @ptoomey3! I agree that (almost) anything that simply moves people away from passwords is a good thing. That said, I don't think it's necessary that the RP can indicate it allows credentials to be portable and/or synced. Like you say... >if Apple released a version of Safari tomorrow that implemented this full flow purely in software and stored the key pair in iCloud keychain, would that violate something in terms of compliance, certification, ....? I wouldn't say that would violate the spec in any way, but it would indeed not be eligible for many certifications. It also probably wouldn't be able to produce a meaningful attestation statement, since a software authenticator (without cooperation from the OS) can do very little to protect an attestation key. That said, none of that matters as long as the RP accepts the (possibly empty) attestation statement - so in a way, RPs can _already_ opt in to allowing syncable credentials by accepting credentials from authenticators that do not promise to not do that. Actually, it's rather something they need to opt out of, since the RP by default will not ask for attestation. Adding a standardised way to express features like that in attestation certificates sounds reasonable, but perhaps in the scope of a certification authority rather than the core WebAuthn spec? (I'm thinking a list of such feature indicators would likely grow over time) -- GitHub Notification of comment by emlun Please view or discuss this issue at https://github.com/w3c/webauthn/issues/969#issuecomment-401082920 using your GitHub account
Received on Thursday, 28 June 2018 15:52:27 UTC