- From: David Waite via GitHub <sysbot+gh@w3.org>
- Date: Sat, 14 Aug 2021 02:44:18 +0000
- To: public-webauthn@w3.org
> Some platform vendors do not believe the DPK should be shared between apps/contexts. This resulted in the compromise proposed as part of this issue where the platform can signal what the DPK represents. Correct me if I misunderstand: the public key credential is scoped across physical authenticator devices to a particular (because it is “synched”. For these vendors, they want the physical-authenticator-bound key to both be restricted to a particular physical authenticator and to a specific software agent authorized to act on behalf of that origin? (A so-called “app”, but also presumably each of the various web browser user agents) What is not clear to me is for various definitions of context (device, application team/group, specific application id, installation-specific identity, CTAP-extension to capture remote client identity, whatever) what the RP is meant to do with merely a label that a particular type of context is in force. It seems like any information provided to aid a risk analysis process would be provided by the attestation itself, and likely would be vendor specific. > I should also note that RPs who do not require a hardware bound device key, do not need to request a DPK. I imagine that some platforms will not mint new DPKs until they are requested by an RP. I hope the vast majority of RPs don’t even care about attestation, let alone differentiating contexts of use. -- GitHub Notification of comment by dwaite Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1658#issuecomment-898802541 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Saturday, 14 August 2021 02:44:20 UTC