W3C home > Mailing lists > Public > public-webauthn@w3.org > January 2021

Re: [webauthn] User verification policy leads to ambiguous usage situations. (#1510)

From: Shane Weeden via GitHub <sysbot+gh@w3.org>
Date: Wed, 27 Jan 2021 20:19:45 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-768551392-1611778784-sysbot+gh@w3.org>
Two suggestions from out of band discussion @Firstyear for non-normative changes that would help RP developers:

1. Step 16 of [Registering a New Credential](https://w3c.github.io/webauthn/#sctn-registering-a-new-credential) may be best moved to between 21/22 because before that point most implementations won't have access to the credential alg type.

2. An explanatory note for RP developers that there is value in storing against the user's account not just the credential id and public key but also other attributes discovered during the attestation ceremony such as the uv bit from authenticator data, attestation data (if attestation is performed), and any extension data. This will assist RP's in making future policy decisions and determining the best WebAuthn parameters for assertion ceremonies.

Intention is that a future PR (in L3 timeframe) may be submitted to address.

-- 
GitHub Notification of comment by sbweeden
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1510#issuecomment-768551392 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 27 January 2021 20:19:47 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:38:40 UTC