Re: [webauthn] Consider allowing RPs to indicate that they want platform authenticators to be synced across devices

> Actually, it's rather something they need to opt out of, since the RP by default will not ask for attestation.

This was my thought as well. It feels like the cases where a RP would require a attestation might be the exception and not the rule. So, a default of no attestation would imply that the RP assumes nothing about the authenticator (which is probably fine for the vast majority of RPs). And, if they do want to have restrictions, the RP looks for an attestation from an authenticator capable of that. 



-- 
GitHub Notification of comment by ptoomey3
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/969#issuecomment-401089126 using your GitHub account

Received on Thursday, 28 June 2018 16:11:40 UTC