W3C home > Mailing lists > Public > public-webauthn@w3.org > September 2018

[webauthn] No way to verify requireResidentKey during registration step at RP side

From: Ki-Eun Shin via GitHub <sysbot+gh@w3.org>
Date: Mon, 10 Sep 2018 12:03:03 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-358592184-1536580983-sysbot+gh@w3.org>
Kieun has just created a new issue for https://github.com/w3c/webauthn:

== No way to verify requireResidentKey during registration step at RP side ==
In order to allow authenticators having require resident key feature only due to security reasons, RP can set requireResidentKey as true when calling create request.

```
dictionary AuthenticatorSelectionCriteria {
    AuthenticatorAttachment      authenticatorAttachment;
    boolean                      requireResidentKey = false;
    UserVerificationRequirement  userVerification = "preferred";
};
```

Even platforms and browsers handle such parameters and may work correctly, from the view point of RP side, there is no way to verify whether credentials are really resident at authenticator side or not.
If the authenticator data includes requireResidentKey as a flag like UV and UP, RP can verify its value and integrity by verifying the signature.


Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1060 using your GitHub account
Received on Monday, 10 September 2018 12:03:06 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:58:55 UTC