Re: [webauthn] User verification policy leads to ambiguous usage situations. (#1510) from Nick Steele via GitHub on 2021-01-20 (public-webauthn@w3.org from January 2021)

From: Nick Steele via GitHub <sysbot+gh@w3.org>
Date: Wed, 20 Jan 2021 21:12:30 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-763949324-1611177149-sysbot+gh@w3.org>

I do believe that we need to clarify the connection between UV and credential creation, and the different states that credentials (and their authenticators) can arrive at depending on if it's a discoverable key or CredProtect is being used. I'm a bit confused though as to why credentials themselves should dictate their use, since the RP can decide to approve or deny the credentials as it sees fit. We shouldn't put further onus on the authenticator (or credential itself) to provide an enforcement, however this idea and reasoning should be clarified in the spec.

-- 
GitHub Notification of comment by nicksteele
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1510#issuecomment-763949324 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 20 January 2021 21:12:32 UTC