Re: [webauthn] Add Yubico's proposed recovery extension (#1425)

> Transmitting the AAGUID early (although unsigned) allows the RP to fail faster and prevent the user from inadvertently getting locked out.

I don't believe that we would want to transmit AAGUIDs in a non-enterprise context.

> This is in part because the key generation scheme is opaque to the RP - the primary authenticator only needs to supply some kind of COSE public key for the backup credential.

But the COSE key supplied is always ES256, right? I.e. there's no sequence of COSE algorithm IDs to permit a transition of that, and RPs have to be involved in verifying the recovery signature.

-- 
GitHub Notification of comment by agl
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/1425#issuecomment-637846449 using your GitHub account

Received on Tuesday, 2 June 2020 22:45:05 UTC