W3C home > Mailing lists > Public > public-webauthn@w3.org > June 2020

Re: [webauthn] Add Yubico's proposed recovery extension (#1425)

From: Adam Langley via GitHub <sysbot+gh@w3.org>
Date: Tue, 02 Jun 2020 22:45:02 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-637846449-1591137901-sysbot+gh@w3.org>
> Transmitting the AAGUID early (although unsigned) allows the RP to fail faster and prevent the user from inadvertently getting locked out.

I don't believe that we would want to transmit AAGUIDs in a non-enterprise context.

> This is in part because the key generation scheme is opaque to the RP - the primary authenticator only needs to supply some kind of COSE public key for the backup credential.

But the COSE key supplied is always ES256, right? I.e. there's no sequence of COSE algorithm IDs to permit a transition of that, and RPs have to be involved in verifying the recovery signature.

GitHub Notification of comment by agl
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/1425#issuecomment-637846449 using your GitHub account
Received on Tuesday, 2 June 2020 22:45:05 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 2 June 2020 22:45:05 UTC