W3C home > Mailing lists > Public > public-webauthn@w3.org > January 2021

[webauthn] Note to encourage storage of registered credential details (#1556)

From: Firstyear via GitHub <sysbot+gh@w3.org>
Date: Thu, 28 Jan 2021 01:51:01 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-795596197-1611798660-sysbot+gh@w3.org>
Firstyear has just created a new issue for https://github.com/w3c/webauthn:

== Note to encourage storage of registered credential details ==
during registration today, there are a number of parameters related to the credential that *could* be stored for future verification and policy assertion, but it has been up to RP implementors to interpret and discover this. A note should exist in registration that encourages the storage of:

* uv bit
* attestation data (if performed) so that the model/transport of the credential is known
* extension data

This allows RP's to then extend the authentication ceremony such that a credential known to set a uv bit in registration with "preferred" can have the next authentication performed with "userVerification required" as it is know it can provide that. Similar, this data can be used for validation of other credential properties that may matter to policy for RP's. 

By having a note encouraging this, this allows RP's to understand that this is how certain policies can be implemented. 

Similar notes should exist around authenticatorAttachement that these are *hints* to the client on how to work with the authenticator and are not the foundation of security policy - it is based on the credential used and the RP's knowledge of that credential from registartion to enforce any policy. 

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1556 using your GitHub account

Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 28 January 2021 01:51:03 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:38:40 UTC