Re: [webauthn] New platform authenticators are making discoverable credentials regardless of residentKey=false passed to Create() (#1457) from Arian van Putten via GitHub on 2020-09-11 (public-webauthn@w3.org from September 2020)

From: Arian van Putten via GitHub <sysbot+gh@w3.org>
Date: Fri, 11 Sep 2020 09:34:06 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-690985071-1599816845-sysbot+gh@w3.org>

The opposite also seems true.

Google Chrome for Android  will happily created a server-side credential without erroring out, even when setting `requireResidentKey` to `required`.  I would expect it to error out as described in the spec, but it silent generates a server-side credential.

The spec says I can differentiate between these cases using the `credProps` extension in the cases of `discouraged` and `preferred`.

But what do I do with misbehaving platforms that don't error out as the spec mandates?


-- 
GitHub Notification of comment by arianvp
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1457#issuecomment-690985071 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Friday, 11 September 2020 09:34:08 UTC