Re: [webauthn] Indicate resident key credential "preferred" during registration and find out what the authenticator offered (#991) from Akshay Kumar via GitHub on 2019-03-28 (public-webauthn@w3.org from March 2019)

From: Akshay Kumar via GitHub <sysbot+gh@w3.org>
Date: Thu, 28 Mar 2019 18:57:37 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-477728368-1553799456-sysbot+gh@w3.org>

Joining the party late. :) Too much to read here..

___
**Requirements:**
- By Christiaan: **_Don't want PIN during registration in general._** Don't care about whether resident or not yet. Have a consensus for non-resident keys for external authenticators. Want same for resident keys also, but consensus is not there yet.

- By Me: **_Don't force authenticators to not require user verification if they don't want to_**. Some authenticators (external or platform) probably want to improve security and will always ask for user verification. It may be required for upper levels as per SPWG. Don't force them to create a credential without user verification if they want to. They may want to have a differentiation or may have other security requirements. Applies to both resident keys as well as non-resident ones.

- By Me: **_Don't force authenticators to create non-resident keys if they don't want to_**. Some authenticators (external or platform) who don't want to/can't export private keys even in encrypted format. Don't force them. This is the current semantics of `requireResidentKey = false`. Don't loose that.

- By Shane: **_Tell RP what kind of credential was created._** Resident or not resident. Probably will prefer for resident keys but OK with non-resident keys also. Don't error out when resident keys are not supported. Which is the case for `requireResidentKey = false`

Let me know if I am not capturing the requirements correctly or missing something.
___
**My Recommendation:**
___
Input:
```
enum ResidentKeyRequirement {
"discouraged",
"preferred",
"required"
};
```

Where
- `required` means create resident keys and error out if you can't
- `preferred` means try to create a resident keys but if that is not supported, try to create a non-resident one
- `discouraged` means try to create a non-resident keys but if that is not supported, try to create a resident one.
___
Output:
```
partial dictionary CredentialPropertiesOutput {
boolean rk;
};

partial dictionary AuthenticationExtensionsClientOutputs {
CredentialPropertiesOutput credProps;
};

```
___

--
GitHub Notification of comment by akshayku
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/991#issuecomment-477728368 using your GitHub account

Received on Thursday, 28 March 2019 18:57:43 UTC