- From: Firstyear via GitHub <sysbot+gh@w3.org>
- Date: Sun, 03 Apr 2022 23:24:36 +0000
- To: public-webauthn@w3.org
> Sorry, I mean that RPs can "opt out" of credential syncing by requiring attestation and rejecting any authenticator not known to not sync (sorry for the multiple negations, they are significant). It doesn't allow for simply disabling a sync feature, though (thus "_most_ of the same powers"). It's a roundabout way, but it's the only way - even with the authenticator data flags - if you need to strictly forbid syncing. This is not correct. @timcappalli has made it clear that the data flags are an optional hint, and not a strict assertion that the device does or does not do backups. Which pretty much means they are not a strict rule (the same way that a lot of authenticator selection criteria are hints and not actual criteria). There are now only three situations that exist: * you know a device explicitly is multi-device capable because of DPK/Attestation * you know a device is explicitly not multi-device capable because you carefully vetted the attestations and manufacturer to limit this * All other devices, regardless of backup flag presence or not, and especially with none attestation, must be assumed to be multi device. There is practically no way to opt out of multi-device credentials, you have to "opt in" to strict attestation checks if you want single devices. -- GitHub Notification of comment by Firstyear Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1714#issuecomment-1086972832 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Sunday, 3 April 2022 23:24:37 UTC