W3C home > Mailing lists > Public > public-webauthn@w3.org > August 2022

Re: [webauthn] Enforce backup eligibility during assertion (#1791)

From: Matthew Miller via GitHub <sysbot+gh@w3.org>
Date: Tue, 30 Aug 2022 16:43:23 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1231912361-1661877801-sysbot+gh@w3.org>
> Yes, but there is no guidance (normative or informative) on what RPs should do if they encounter the forbidden cases (`BE=1 => 0` or `BE=0, BS=1`).

I do agree that an official decision should be made. Two _insanely popular_ WebAuthn libraries currently reject registration and authentication based on the fact that `be:0, bs:1` is "not allowed" because it is the opinion of the authors (read: me 😂) that this reflects an authenticator that is acting up, and that it is a problem that should be fixed at the authenticator level so that it becomes compliant with the spec.

GitHub Notification of comment by MasterKale
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1791#issuecomment-1231912361 using your GitHub account

Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Tuesday, 30 August 2022 16:43:24 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 30 August 2022 16:43:25 UTC