- From: John Bradley via GitHub <sysbot+gh@w3.org>
- Date: Wed, 13 Mar 2019 21:19:32 +0000
- To: public-webauthn@w3.org
I think Jeff had ResidentKeyRequirement prohibited in a previous proposal. The only reason I can think of for someone wanting that is so the credential would require an allow list. I think that use case is more or less covered with the privacy extension, requiring a allow list or UV/PIN. Some authenticators always make resident credentials even if non-resident is requested. Those credentials do currently show up if no allow list is sent. If we don't have a real use case for forcing non-resident, then we should probably not include it. If people are doing a second-factor flow they probably should not be asking for preferred. A good number of authenticators have limited slots for resident credentials. Using them up for credentials that are always going to be used with an allow list seems like a waste. The authenticator will fill up and only be able to create non-resident after the first number of sites. I think we need required, preferred and something like discouraged, indifferent, or ambivalent so that the user agent can prefer non-resident on roaming authenticators. More or less the existing behaviour with the addition of preferred. -- GitHub Notification of comment by ve7jtb Please view or discuss this issue at https://github.com/w3c/webauthn/issues/991#issuecomment-472609928 using your GitHub account
Received on Wednesday, 13 March 2019 21:19:36 UTC