W3C home > Mailing lists > Public > public-webauthn@w3.org > September 2020

Re: [webauthn] New platform authenticators are making discoverable credentials regardless of residentKey=false passed to Create() (#1457)

From: Shane Weeden via GitHub <sysbot+gh@w3.org>
Date: Fri, 11 Sep 2020 09:56:03 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-690995581-1599818162-sysbot+gh@w3.org>
I don’t believe Chrome on Android implements WebAuthn L2 yet. 

Sent from my iPhone

> On 11 Sep 2020, at 7:34 pm, Arian van Putten <notifications@github.com> wrote:
> 
> 
> The opposite also seems true.
> 
> Google Chrome for Android will happily created a server-side credential without erroring out, even when setting requireResidentKey to required. I would expect it to error out as described in the spec, but it silent generates a server-side credential.
> 
> The spec says I can differentiate between these cases using the credProps extension in the cases of discouraged and preferred.
> 
> But what do I do with misbehaving platforms that don't error out as the spec mandates?
> 
> —
> You are receiving this because you were mentioned.
> Reply to this email directly, view it on GitHub, or unsubscribe.



-- 
GitHub Notification of comment by sbweeden
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1457#issuecomment-690995581 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Friday, 11 September 2020 09:56:05 UTC

This archive was generated by hypermail 2.4.0 : Friday, 11 September 2020 09:56:06 UTC