Re: [webauthn] Pass through other assertion formats (#1232)

From call of 2019-06-05:

Rolf clarified that registration would be handled out-of-band.

I, for Chrome, said that arbitrary Authenticator Data would be very problematic. Akshay, I think, said something similar. I suggested putting the necessary information in an extension and having the RP reconstruct the signed message from that.

There was worry about this being a channel for arbitrary data though the browser. Several such channels already exist, but people are thrilled about adding more.

J. C. queries how a reader of the spec would be able to figure out the necessary supporting documents to be able to use this. (I.e. the UAF specs.)

John asks about UAF extensions themselves, which currently aren't defined for WebAuthn and so couldn't be passed in.

Mike notes that no UAF authenticators work with WebAuthn today, so new code will be needed. But if a change is needed why not make these authenticators real CTAP2 devices? Rolf asserts that parts of this ecosystem are pretty hard to change, but adding an interop layer would be much easier.

John, J. C., and Mike ask about the number of devices that would partake in order to judge the value.

-- 
GitHub Notification of comment by agl
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/1232#issuecomment-499224650 using your GitHub account

Received on Wednesday, 5 June 2019 19:35:25 UTC