W3C home > Mailing lists > Public > public-webauthn@w3.org > June 2019

Re: [webauthn] Add notion of forbidding resident credential creation (#1149)

From: Shane Weeden via GitHub <sysbot+gh@w3.org>
Date: Thu, 27 Jun 2019 06:49:34 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-506216331-1561618173-sysbot+gh@w3.org>
So my take on @christiaanbrand 's requirement is that this is how things *should* behave today (even in L1) if navigator.credentials.create is called with requireResidentKey=false (or absent, since that's the default), and userVerification=discouraged. The simple fact though is that this isn't how all browser+authenticator combinations behave - the behaviour is inconsistent across browsers (CTAP1 vs CTAP2) and when using platform vs roaming authenticators, and even changes depending on some roaming authenticator's enabled capabilities (if a PIN is set vs not set). I don't think a functional spec change is really required or desirable but I do think it's worth getting the editors to weigh in on whether or not they concur that the combination of modifiers I have suggested should result in the requested behaviour. If so, then the spec could provide specific direction regarding same.

-- 
GitHub Notification of comment by sbweeden
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1149#issuecomment-506216331 using your GitHub account
Received on Thursday, 27 June 2019 06:49:36 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:37 UTC