W3C home > Mailing lists > Public > public-webauthn@w3.org > January 2019

Re: [webauthn] No way to verify requireResidentKey during registration step at RP side (#1060)

From: Ki-Eun Shin via GitHub <sysbot+gh@w3.org>
Date: Wed, 16 Jan 2019 21:06:33 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-454941476-1547672792-sysbot+gh@w3.org>
@herrjemand I'm not sure about the current authenticator's implementation. But, what if the authenticator only supports device resident key feature and the server set _requireResidentKey_ as false or let it as default value?
With current approach, there is no way for RP to check whether the credential is located in the client side or not. Also, such information should be singed over to provide the integrity.

GitHub Notification of comment by Kieun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1060#issuecomment-454941476 using your GitHub account
Received on Wednesday, 16 January 2019 21:06:34 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:36 UTC