- From: Firstyear via GitHub <sysbot+gh@w3.org>
- Date: Mon, 04 Apr 2022 22:45:42 +0000
- To: public-webauthn@w3.org
> Somewhere berried in this there was a request to rename the bit flags to hints. See this discussion: https://github.com/w3c/webauthn/pull/1695#discussion_r823288781 "These are hints, not security properties." However, we do not name or label them as such in the specification meaning that all current RP's and consumers probably *incorrectly* assume they are security properties. > > I don't see why these flags would be different. > > I don't think they need to be called hints, but don't feel strongly about it, if people think it would be useful to give RP more warning. So either they are strict and a security property OR they are a hint and may or may not represent the true state of the device, even under attestation. That's why it's *critical* we select and use the correct language because today they are hints, but we advertise them as though they are a security property. Our use of wishy-washy and vague language has already led to CVE's (CVE-2020-8236 - https://hwsecurity.dev/2020/08/webauthn-pin-bypass/, by passes in okta, azure ad, etc.) . This certainly has the feeling of ending up as another trap we are laying for RP's. -- GitHub Notification of comment by Firstyear Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1714#issuecomment-1088084441 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 4 April 2022 22:45:43 UTC