W3C home > Mailing lists > Public > public-webauthn@w3.org > August 2022

Re: [webauthn] continuous assertion (#1785)

From: Firstyear via GitHub <sysbot+gh@w3.org>
Date: Tue, 02 Aug 2022 01:38:20 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1201916820-1659404298-sysbot+gh@w3.org>
@devsnek I think you are thinking about something like https://www.rfc-editor.org/rfc/rfc8705.html or https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop . The issue with the suggestion you have here is that user presence and interaction is a really core part of how these devices work, especially fido, so using this to "assert binding" is probably not completely possible.

The "right" answer is above, it's to use something like the rfcs listed where you trust-on-first-auth via webauthn, and then bind the session to that device somehow. 

GitHub Notification of comment by Firstyear
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1785#issuecomment-1201916820 using your GitHub account

Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Tuesday, 2 August 2022 01:38:22 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 2 August 2022 01:38:23 UTC