W3C home > Mailing lists > Public > public-webauthn@w3.org > June 2019

Re: [webauthn] Add notion of forbidding resident credential creation (#1149)

From: Shane Weeden via GitHub <sysbot+gh@w3.org>
Date: Thu, 27 Jun 2019 06:49:34 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-506216331-1561618173-sysbot+gh@w3.org>
So my take on @christiaanbrand 's requirement is that this is how things *should* behave today (even in L1) if navigator.credentials.create is called with requireResidentKey=false (or absent, since that's the default), and userVerification=discouraged. The simple fact though is that this isn't how all browser+authenticator combinations behave - the behaviour is inconsistent across browsers (CTAP1 vs CTAP2) and when using platform vs roaming authenticators, and even changes depending on some roaming authenticator's enabled capabilities (if a PIN is set vs not set). I don't think a functional spec change is really required or desirable but I do think it's worth getting the editors to weigh in on whether or not they concur that the combination of modifiers I have suggested should result in the requested behaviour. If so, then the spec could provide specific direction regarding same.

GitHub Notification of comment by sbweeden
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1149#issuecomment-506216331 using your GitHub account
Received on Thursday, 27 June 2019 06:49:36 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:37 UTC