- From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
- Date: Wed, 03 Apr 2019 20:26:12 +0000
- To: public-webauthn@w3.org
Notes from 2019-04-03 WG call: - @akshayku echoes @sbweeden's original proposal: `required`, `preferred`, `discouraged`. - @agl remarks that "discouraged" is concerning: RP may want a credential to be usable only with allowList. Currently in CTAP2 and WebAuthn L1, `requireResidentKey: false` doesn't guarantee that. - "forbidden" would ease @agl's concerns; unclear if we can guarantee that much. In practice few existing authenticators create RK when given `requireResidentKey: false`, so maybe we can retroactively modify `requireResidentKey: false` to mean "RK forbidden"? - @emlun thinks there should also be an "indifferent" value in addition to "discouraged", because `requireResidentKey: false` maps closer to "indifferent" than to "discouraged". - Broad agreement that we should reformulate the descriptions of resident keys to be more focused on the aspect "can be used with empty allowList" rather than "stored in the authenticator". -- GitHub Notification of comment by emlun Please view or discuss this issue at https://github.com/w3c/webauthn/issues/991#issuecomment-479645567 using your GitHub account
Received on Wednesday, 3 April 2019 20:26:13 UTC