Re: [webauthn] Provide an explicit way to opt out of multi-device syncing/backups (#1714)

The flags _are_ security properties, but a critical question for any security property in any security system is _who is the guarantor_ of that property? This critical question is not unique to WebAuthn, or even to digital systems, which is why it is perhaps glossed over in the spec. In WebAuthn (from an RP point of view) that question can be answered only through attestation, and if you know who the guarantor is you can then decide [to what degree you trust them](https://github.com/w3c/webauthn/issues/1698#issuecomment-1035215931) to set the flags accurately and truthfully.

That some RPs forget to check the UV flag is unfortunate, but the (contextual) need to verify the UV flag is an explicit step in both RP operations. The spec has never been vague about that.

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1714#issuecomment-1089364353 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Tuesday, 5 April 2022 21:19:09 UTC