- From: Christiaan Brand via GitHub <sysbot+gh@w3.org>
- Date: Thu, 14 Mar 2019 15:47:20 +0000
- To: public-webauthn@w3.org
Way too much to read here... so I'll start afresh.
I'll just add my 2'cs here: Just as we have a tri-state for UV, we need a tri-state for RK.
It needs to be {Required, Allowed, Forbidden/Disallowed}.
And there's a very particular reason why an RP might want to do Forbidden/Disallows: If they really really really don't want to deal with PINs set up on tokens. I believe we now have consensus, that when a non-RK credential is created, EVEN IF A PIN IS SET UP ON A TOKEN, if UV=False, it will *not require the user to enter a PIN during creation*. I need a way to force that a credential is non-resident in order to get that behavior, hence this property.
Actually, I think even if someone is making a resident credential, if UV=false it shouldn't require a PIN (or other form of UV), but this once seems to require more convincing.
--
GitHub Notification of comment by christiaanbrand
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/991#issuecomment-472928600 using your GitHub account
Received on Thursday, 14 March 2019 15:47:25 UTC