W3C home > Mailing lists > Public > public-webauthn@w3.org > July 2021

Re: [webauthn] Requesting properties of created credentials. (#1449)

From: =JeffH via GitHub <sysbot+gh@w3.org>
Date: Fri, 02 Jul 2021 21:53:09 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-873273850-1625262788-sysbot+gh@w3.org>
@ve7jtb wrote:
> In conversations with some government RP around national ID  programs, there seems to be a requirement that **(A) keys not be exportable or shared**.
[ ... ]
In some cases, the RP may also want to **(B) guide the user to an authenticator with a particular certification**.
As an example, a US Fedramp high application may need a FIPS-140-L2 certified authenticator.

Overall, it would be good to have the fine-grained use cases & requirements from the eID folks.  

Requirement (A) seems to actually be two requirements: 
* (A.1), the credential (aka key) be device-bound (in hardware), and 
* (A.2), only be usable by the RP ID and specific app (browser or native app?) that created it (I'm not sure how workable that is...).

Regarding (A.2) and (B), they would seem to be things that would foster fragmentation (users needing multiple authnrs for specific purposes and/or RPs) in the consumer context, and so would seem more applicable to the enterprise context ...?

Regarding (A.1), it may turn out to be addressed by the device-bound key we are envisioning in answer to issue #1546. 

-- 
GitHub Notification of comment by equalsJeffH
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1449#issuecomment-873273850 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Friday, 2 July 2021 21:53:11 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:44 UTC