I would recommend pairing such a flag (if we should end up supporting it) with the ability of an authenticator to express support for non-exportable/non-migratable keys in the attestation statement (e.g. similar to never exportable flag in PKCS#11 - but with crptographic assertion on it). With that RPs interested in the security aspect have an assertion stating whether or not the key is exportable. -- GitHub Notification of comment by rlin1 Please view or discuss this issue at https://github.com/w3c/webauthn/issues/969#issuecomment-400973330 using your GitHub accountReceived on Thursday, 28 June 2018 09:30:50 UTC
This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:33 UTC