Re: [webauthn] No way to verify requireResidentKey during registration step at RP side (#1060) from Ki-Eun Shin via GitHub on 2019-01-16 (public-webauthn@w3.org from January 2019)

From: Ki-Eun Shin via GitHub <sysbot+gh@w3.org>
Date: Wed, 16 Jan 2019 21:06:33 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-454941476-1547672792-sysbot+gh@w3.org>

@herrjemand I'm not sure about the current authenticator's implementation. But, what if the authenticator only supports device resident key feature and the server set _requireResidentKey_ as false or let it as default value?
With current approach, there is no way for RP to check whether the credential is located in the client side or not. Also, such information should be singed over to provide the integrity.


-- 
GitHub Notification of comment by Kieun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1060#issuecomment-454941476 using your GitHub account

Received on Wednesday, 16 January 2019 21:06:34 UTC