W3C home > Mailing lists > Public > public-webauthn@w3.org > August 2022

Re: [webauthn] Enforce backup eligibility during assertion (#1791)

From: John Bradley <jbradley@yubico.com>
Date: Tue, 30 Aug 2022 10:27:06 -0400
Message-ID: <CAEY7Pj8pBeE3sUbwkTrVW-XwJueUDmQimjubX=Wb1jmDjUJ2Yw@mail.gmail.com>
To: Tim Cappalli via GitHub <sysbot+gh@w3.org>
Cc: public-webauthn@w3.org
It might be worth clarifying that it can’t change for both makeCredential
and getAssertion.

Someone might misunderstand and think the flags for the two operations are
intended to be separate.

On Tue, Aug 30, 2022 at 10:24 AM Tim Cappalli via GitHub <sysbot+gh@w3.org>
wrote:

> > This has now lead to Apple's iOS and macOS sending BE=true during
> registration, but BE=false during subsequent usage of the credential during
> assertion ceremonies.
>
> This is likely a bug. I, personally, am not seeing this behavior on the
> latest betas.
>
> > Additionally it is confusing to an RP today when at registration a
> permanent property is changing between registration and assertion.
>
> It cannot change after registration. We already have normative text about
> this: https://w3c.github.io/webauthn/#sctn-credential-backup
>
> "The value of the [BE](https://w3c.github.io/webauthn/#authdata-flags-be)
> [flag](https://w3c.github.io/webauthn/#authdata-flags) is set during
> [authenticatorMakeCredential](
> https://w3c.github.io/webauthn/#authenticatormakecredential) operation
> and MUST NOT change."
>
> --
> GitHub Notification of comment by timcappalli
> Please view or discuss this issue at
> https://github.com/w3c/webauthn/issues/1791#issuecomment-1231742129 using
> your GitHub account
>
>
> --
> Sent via github-notify-ml as configured in
> https://github.com/w3c/github-notify-ml-config
>
>
Received on Tuesday, 30 August 2022 14:27:30 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 30 August 2022 14:27:31 UTC