Re: [webauthn] No way to verify requireResidentKey during registration step at RP side (#1060)

@emlun wrote:
> `requireResidentKey: false` does not mean the authenticator must not create a resident key. It only means that a resident key is not required, so the authenticator is free to choose which kind of key to create.

Agreed, that is my understanding per webauthn & CTAP specs.

note that the werbauthn language for [requireResidentKey](http://w3c.github.io/webauthn/#dom-authenticatorselectioncriteria-requireresidentkey) says only this: 
> "If the parameter is set to true, the authenticator MUST create a client-side-resident public key credential source when creating a public key credential."

Note also the "credential storage modality" section here: http://w3c.github.io/webauthn/#sctn-credential-storage-modality, ..whose last paragraph says: 

> Note that a resident credential capable authenticator MAY support both storage strategies. In this case, the authenticator MAY at its discretion use different storage strategies for different credentials, though subject to the requireResidentKey option of create().

It seems to me @Kieun has a valid point here (https://github.com/w3c/webauthn/issues/1060#issuecomment-455404261)

cc: @christiaanbrand 



-- 
GitHub Notification of comment by equalsJeffH
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1060#issuecomment-458363976 using your GitHub account

Received on Tuesday, 29 January 2019 00:57:24 UTC