- From: =JeffH via GitHub <sysbot+gh@w3.org>
- Date: Thu, 20 Apr 2017 20:53:31 +0000
- To: public-webauthn@w3.org
@jyasskin > ...this bit really is asking the authenticator to return something about its notion of user identity... I disagree -- at nav.creds.get() (aka getAssn()) time, the authnr is only saying "the entity I've interacted with now is AFAICT the same entity that I did when creating the credential". At nav.creds.create() time, it is saying "this public key & credId are mapped to my notion of the entity I've just interacted with, and I'm going to remember that, and require that same entity's presence during future nav.creds.get() invocations". Any notion of "identity" is in the eye of the RP, and depends on whatever collection of attributes the RP is mapping to these interactions and also how the RP models its notions of "identity" -- but the webauthn protocol and API are not _cognizant_ of RPs' notions of "identity" (even tho some of the RP's "user identity attributes" may be established by and conveyed via the protocol). I.e., webauthn only provides one little piece of an RP's identity puzzle -- peer-entity authn mapped to a couple of identifiers and a public key -- managing the overall notion of "user identity" is a much broader problem and is up to the RP to figure out. -- GitHub Notification of comment by equalsJeffH Please view or discuss this issue at https://github.com/w3c/webauthn/pull/409#issuecomment-295908118 using your GitHub account
Received on Thursday, 20 April 2017 20:53:38 UTC