- From: Christiaan Brand via GitHub <sysbot+gh@w3.org>
- Date: Wed, 26 Jun 2019 20:54:30 +0000
- To: public-webauthn@w3.org
I must say, this is all incredibly confusing to me. Let me start from the beginning again: I want the U2F use-case in FIDO2. Ie. I want, as an RP, to be able to make a credential, that **does not** require a PIN during BOTH the creation and signature generation. Even when the "security key has a PIN" I don't want one to be asked. As long as I have a way to do that, I'm good. I *thought* that we said that we're all okay with a credential being created without asking for UV, AS LONG AS THE CREDENTIAL always has to be exercised using an AllowList (ie. it's not resident, because otherwise a bad website can fill up my key). I don't agree with this argument, but that's the one that was made. So, in my mind, if I can _only_ get this behavior if I set UV=discouraged AND force a non-resident credential creation on the key, I need way to do that. If now, we don't care anymore about the resident vs non-resident requirement, that's fine, but that needs to be written down in the spec. All I want is a way to make a credential on a security key, that NEVER EVER EVER asks for a PIN during creation. In the current setup, what will I send via WebAuthn to accomplish that? -- GitHub Notification of comment by christiaanbrand Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1149#issuecomment-506040708 using your GitHub account
Received on Wednesday, 26 June 2019 20:54:33 UTC