Re: [webauthn] Device-bound key extension (#1658) from Emil Lundberg via GitHub on 2021-08-09 (public-webauthn@w3.org from August 2021)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Mon, 09 Aug 2021 19:14:32 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-895473995-1628536471-sysbot+gh@w3.org>

Unrelated to my previous comment: I can't really see what's the benefit of the new device key. It is authorized on first use by a signature chain from an already-registered, synced, key, right? So if the desire is to only rely on device-bound keys, it seems like that promise is already broken by the time the new device-bound key is registered. And since the synced key is by definition already synced, I can't see the device-bound key adding any redundancy if there's already a synced key that the RP accepts. I must be missing what the purpose of the device-bound key is.


-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1658#issuecomment-895473995 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Monday, 9 August 2021 19:14:34 UTC