W3C home > Mailing lists > Public > public-webauthn@w3.org > November 2017

Re: [webauthn] attachment is only explicitly used in create()

From: Christiaan Brand via GitHub <sysbot+gh@w3.org>
Date: Tue, 21 Nov 2017 04:14:32 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-345911857-1511237671-sysbot+gh@w3.org>
I vote (a) and I agree with @emlun that this doesn’t work for resident credentials, but it doesn’t need to. This is to solve for a typical reauth scenario where the RP only want to register a credential on a local “platform” authenticator since part of the security model is the fact that the authenticator is built-in (ie. it’s really used as a 2nd factor; the cookie identifying the platform is the first factor). In this case the RP will always have the credentialID since it has a handle to the device (via a session cookie, etc) and can use the allowList.

GitHub Notification of comment by christiaanbrand
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/420#issuecomment-345911857 using your GitHub account
Received on Tuesday, 21 November 2017 04:14:36 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:58:44 UTC