W3C home > Mailing lists > Public > public-webauthn@w3.org > June 2019

Re: [webauthn] Add notion of forbidding resident credential creation (#1149)

From: Christiaan Brand via GitHub <sysbot+gh@w3.org>
Date: Wed, 26 Jun 2019 20:54:30 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-506040708-1561582469-sysbot+gh@w3.org>
I must say, this is all incredibly confusing to me.

Let me start from the beginning again:

I want the U2F use-case in FIDO2. Ie. I want, as an RP, to be able to make a credential, that **does not** require a PIN during BOTH the creation and signature generation. Even when the "security key has a PIN" I don't want one to be asked. As long as I have a way to do that, I'm good.

I *thought* that we said that we're all okay with a credential being created without asking for UV, AS LONG AS THE CREDENTIAL always has to be exercised using an AllowList (ie. it's not resident, because otherwise a bad website can fill up my key). I don't agree with this argument, but that's the one that was made.

So, in my mind, if I can _only_ get this behavior if I set UV=discouraged AND force a non-resident credential creation on the key, I need way to do that. If now, we don't care anymore about the resident vs non-resident requirement, that's fine, but that needs to be written down in the spec.

All I want is a way to make a credential on a security key, that NEVER EVER EVER asks for a PIN during creation. In the current setup, what will I send via WebAuthn to accomplish that?

-- 
GitHub Notification of comment by christiaanbrand
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1149#issuecomment-506040708 using your GitHub account
Received on Wednesday, 26 June 2019 20:54:33 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:37 UTC