W3C home > Mailing lists > Public > public-webauthn@w3.org > June 2018

Re: [webauthn] Consider allowing RPs to indicate that they want platform authenticators to be synced across devices

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Fri, 29 Jun 2018 10:24:28 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-401314987-1530267867-sysbot+gh@w3.org>
In practice, yes. There's no API for expressing this particular preference, but the only way for the RP to enforce - or even know - anything about how the authenticator operates is to require and verify a trusted attestation statement (with the assumption that trusted authenticators do behave as promised by their certificate/vendor/whatever). If the RP does not verify or ask for attestation (which it won't by default, since `attestationConveyance` defaults to `"none"`), then the authenticator can in practice do whatever it wants.

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/969#issuecomment-401314987 using your GitHub account
Received on Friday, 29 June 2018 10:24:41 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:33 UTC