Re: [webauthn] devciePubKey extension MUST be supported if passkey is supported (#1691) from Max Hata via GitHub on 2022-01-20 (public-webauthn@w3.org from January 2022)

From: Max Hata via GitHub <sysbot+gh@w3.org>
Date: Thu, 20 Jan 2022 12:55:28 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1017479356-1642683327-sysbot+gh@w3.org>

It sounds similar and helpful. But I do not think it  addresses my problem.

If RPs know a phone with AAGUID=X supports passkeys but not devicePubKey extension, RPs can exclude passkeys from all the phones with with AAGUID=X. If 10 million customers of a RP are using the phones with AAGUID=X, the RP cannot enable webauthn for all the 10 million customers. This will be a big problem for their businesses.

If the phone supports passkeys and devicePubKey extenstion, RPs can enable webAuthn for the 10 million customers using devicePubKey extension if the reason is mainly due to security of passkeys.

So I think unique AAGUID will help RPs but not quite address my problem.

RPs want to find if a credential is a cloud synced credential or not when they receive one. I wonder if unique AAGUID may help solve that problem?




-- 
GitHub Notification of comment by maxhata
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1691#issuecomment-1017479356 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Thursday, 20 January 2022 12:55:30 UTC