- From: John Bradley via GitHub <sysbot+gh@w3.org>
- Date: Wed, 13 Mar 2019 15:40:04 +0000
- To: public-webauthn@w3.org
I can see an argument for the RP to create a credential that can only be used with an allow list. I however don't think it will get used much, but if we think we may want prohibited now would be the time to add it. It would make it clear to some platform authenticators that they need to require an allow list even if the credential is storred locally. I suspect the best way to report back is extension data. The custom bits will get used too quickly. If the RP wants to know if the credential is resident vs server they could send the extension with it being essentially empty. Or we could allow unsolicited extensions. It could be a slightly more generic credential meta-data extension in case we want to add some other new info about the created credential. -- GitHub Notification of comment by ve7jtb Please view or discuss this issue at https://github.com/w3c/webauthn/issues/991#issuecomment-472477517 using your GitHub account
Received on Wednesday, 13 March 2019 15:40:05 UTC