- From: Goosth via GitHub <sysbot+gh@w3.org>
- Date: Tue, 30 Nov 2021 06:57:55 +0000
- To: public-webauthn@w3.org
@christiaanbrand I think we all agree on that requirement (can be used). But there are some RP's that would not want to 'open up' the ability to allow payments or allow 3P transactions for their tokens (e.g. an Employee authenticator). It seems that this is not technically possible in the current design to allow all 3 of these use-cases, while still enabling RP's to indicate (during WebAuthn token creation) that they do not want these capabilities for their tokens (e.g. do not want to allow 3P invocation). So the only way is to either * Find a way to enable the usage attributes to be set during creation * Find a way to create multiple tokens each with a specific attribute (e.g. token for 1P and separate token for 3P) * Remove the restrictions and always enable all tokens for these 3 use-cases. The first two are technical challenges. The last is more a risk/security/principle concept. Not sure how the community would feel about option 3, and what the potential risks are there. -- GitHub Notification of comment by Goosth Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1667#issuecomment-982339896 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Tuesday, 30 November 2021 06:57:56 UTC