W3C home > Mailing lists > Public > public-webauthn@w3.org > July 2021

Re: [webauthn] Cross-origin credential creation (#1656)

From: Akshay Kumar via GitHub <sysbot+gh@w3.org>
Date: Wed, 28 Jul 2021 09:27:12 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-888158324-1627464431-sysbot+gh@w3.org>

Can an RP say that it does not want any other website to be able to invoke create command for them? Or only a allowlist of RPID that it control? And by default there should be no-one else who should be able to create a credential for another RP. 

Also this enforcement must be at the creation level before invoking the create() API. Potentially in addition, server must also be able to verify at it's level while evaluating credential creation response.

This has security implications, and then the question becomes is why user cannot go to the bank and create the credential there. Is the issue is that merchant does not know what kind of bank credentials user has? 

GitHub Notification of comment by akshayku
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1656#issuecomment-888158324 using your GitHub account

Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 28 July 2021 09:27:14 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:44 UTC