W3C home > Mailing lists > Public > public-webauthn@w3.org > March 2019

Re: [webauthn] Add notion of forbidding resident credential creation (#1149)

From: David Waite via GitHub <sysbot+gh@w3.org>
Date: Wed, 13 Mar 2019 23:52:12 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-472650713-1552521131-sysbot+gh@w3.org>
Since an authenticator could decide to give a resident credential in place of a non-resident credential, this is almost a misnomer in the spec itself. What the relying party really cares about is whether an assertion can be made within the UX the party wants.

Thinking of this as a list of behaviors, to register a credential which either:
1. works without a handle presented in an allow list, as a primary factor
2. requires a handle in the allow list, as a secondary factor
3. prefers a credential which works without a handle, which will work as a primary factor. A secondary factor credential can be registered as well.

This does mean that in case 2, the credential must not be presented as an option if a request is made without the corresponding handle being presented in an allow list. And in case 3, the relying party must know whether a handle is required or not for creating assertions in the future.

I suspect there isn't a usability case for forbidding authenticators from creating resident credentials, because a resident credential is a superset usage-wise compared to a non-resident one.

GitHub Notification of comment by dwaite
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1149#issuecomment-472650713 using your GitHub account
Received on Wednesday, 13 March 2019 23:52:13 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:59:03 UTC