Re: [webauthn] No way to verify requireResidentKey during registration step at RP side from Emil Lundberg via GitHub on 2018-09-10 (public-webauthn@w3.org from September 2018)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Mon, 10 Sep 2018 12:20:19 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-419893022-1536582018-sysbot+gh@w3.org>

I was about to say this can in theory be derived from trust in the attestation statement and thus trust that the authenticator obeys the parameter - but since `requireResidentKey` is actually not included in [CollectedClientData][ccd], it is indeed not possible for the RP to verify that the option was respected (other than performing a successful authentication ceremony with no `allowCredentials`).

This issue is related to #889 and #991.

[ccd]: https://w3c.github.io/webauthn/#sec-client-data

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1060#issuecomment-419893022 using your GitHub account

Received on Monday, 10 September 2018 12:20:20 UTC