W3C home > Mailing lists > Public > public-webauthn@w3.org > March 2019

Re: [webauthn] Indicate resident key credential "preferred" during registration and find out what the authenticator offered (#991)

From: John Bradley via GitHub <sysbot+gh@w3.org>
Date: Wed, 13 Mar 2019 21:19:32 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-472609928-1552511971-sysbot+gh@w3.org>
I think Jeff had ResidentKeyRequirement prohibited in a previous proposal. 

The only reason I can think of for someone wanting that is so the credential would require an allow list.
I think that use case is more or less covered with the privacy extension, requiring a allow list or UV/PIN.

Some authenticators always make resident credentials even if non-resident is requested.  Those credentials do currently show up if no allow list is sent. 

If we don't have a real use case for forcing non-resident, then we should probably not include it.

If people are doing a second-factor flow they probably should not be asking for preferred. 
A good number of authenticators have limited slots for resident credentials.   Using them up for credentials that are always going to be used with an allow list seems like a waste.  The authenticator will fill up and only be able to create non-resident after the first number of sites.

I think we need required, preferred and something like discouraged, indifferent, or ambivalent so that the user agent can prefer non-resident on roaming authenticators.  More or less the existing behaviour with the addition of preferred.





-- 
GitHub Notification of comment by ve7jtb
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/991#issuecomment-472609928 using your GitHub account
Received on Wednesday, 13 March 2019 21:19:36 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:59:02 UTC