- From: Firstyear via GitHub <sysbot+gh@w3.org>
- Date: Tue, 02 Aug 2022 01:38:20 +0000
- To: public-webauthn@w3.org
@devsnek I think you are thinking about something like https://www.rfc-editor.org/rfc/rfc8705.html or https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop . The issue with the suggestion you have here is that user presence and interaction is a really core part of how these devices work, especially fido, so using this to "assert binding" is probably not completely possible. The "right" answer is above, it's to use something like the rfcs listed where you trust-on-first-auth via webauthn, and then bind the session to that device somehow. -- GitHub Notification of comment by Firstyear Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1785#issuecomment-1201916820 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Tuesday, 2 August 2022 01:38:22 UTC