Re: [webauthn] Enforce backup eligibility during assertion (#1791)

> Yes, but there is no guidance (normative or informative) on what RPs should do if they encounter the forbidden cases (`BE=1 => 0` or `BE=0, BS=1`).

I do agree that an official decision should be made. Two _insanely popular_ WebAuthn libraries currently reject registration and authentication based on the fact that `be:0, bs:1` is "not allowed" because it is the opinion of the authors (read: me 😂) that this reflects an authenticator that is acting up, and that it is a problem that should be fixed at the authenticator level so that it becomes compliant with the spec.

GitHub Notification of comment by MasterKale
Please view or discuss this issue at using your GitHub account

Sent via github-notify-ml as configured in

Received on Tuesday, 30 August 2022 16:43:24 UTC