W3C home > Mailing lists > Public > public-webauthn@w3.org > March 2019

Re: [webauthn] Indicate resident key credential "preferred" during registration and find out what the authenticator offered (#991)

From: Christiaan Brand via GitHub <sysbot+gh@w3.org>
Date: Thu, 14 Mar 2019 15:47:20 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-472928600-1552578438-sysbot+gh@w3.org>
Way too much to read here... so I'll start afresh.

I'll just add my 2'cs here: Just as we have a tri-state for UV, we need a tri-state for RK.
It needs to be {Required, Allowed, Forbidden/Disallowed}.

And there's a very particular reason why an RP might want to do Forbidden/Disallows: If they really really really don't want to deal with PINs set up on tokens. I believe we now have consensus, that when a non-RK credential is created, EVEN IF A PIN IS SET UP ON A TOKEN, if UV=False, it will *not require the user to enter a PIN during creation*. I need a way to force that a credential is non-resident in order to get that behavior, hence this property.

Actually, I think even if someone is making a resident credential, if UV=false it shouldn't require a PIN (or other form of UV), but this once seems to require more convincing.

-- 
GitHub Notification of comment by christiaanbrand
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/991#issuecomment-472928600 using your GitHub account
Received on Thursday, 14 March 2019 15:47:25 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:59:03 UTC