Re: [webauthn] Provide an explicit way to opt out of multi-device syncing/backups (#1714) from Emil Lundberg via GitHub on 2022-04-04 (public-webauthn@w3.org from April 2022)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Mon, 04 Apr 2022 12:33:33 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1087497693-1649075611-sysbot+gh@w3.org>

> This is not correct. @timcappalli has made it clear that the data flags are an optional hint, and not a strict assertion that the device does or does not do backups. Which pretty much means they are not a strict rule (the same way that a lot of authenticator selection criteria are hints and not actual criteria).

Yes, that's what I said: that you (the RP) cannot trust the authenticator data flags unless they come from an authenticator whose attestation you have deemed a trustworthy assertion that the flags are accurate. This is true for all the flags and does not change with the introduction of synced keys.


-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1714#issuecomment-1087497693 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Monday, 4 April 2022 12:33:37 UTC