Re: [webauthn] Note to encourage storage of registered credential details (#1556)

The other way of thinking about this is that you have your credential creation request and response, and you are choosing what information _not_ to save.

Sure, the request message you sent or the client credential data in the response might be something you won't use normally at runtime, but if you save them you can re-run your security evaluation on the initial credential registration at any point in the future, such as after a security fix or change to your attestation policy.

Once you decide to pick and choose what data you save, there aren't a lot of values that MUST be saved across all the different kinds of implementations. In fact, I believe a limited functionality implementation only MUST save the public key, although you would probably still _want_ to save the credential handle with it.

Trying to define what information people SHOULD save would likely require defining use cases that go along with that recommendation. We may also wish to extend such recommendations to extensions, and suggest any third party extension also give such guidance.

-- 
GitHub Notification of comment by dwaite
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1556#issuecomment-770133479 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Saturday, 30 January 2021 01:41:07 UTC