W3C home > Mailing lists > Public > public-webauthn@w3.org > January 2022

Re: [webauthn] devciePubKey extension MUST be supported if passkey is supported (#1691)

From: Max Hata via GitHub <sysbot+gh@w3.org>
Date: Thu, 20 Jan 2022 12:55:28 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1017479356-1642683327-sysbot+gh@w3.org>
It sounds similar and helpful. But I do not think it  addresses my problem.

If RPs know a phone with AAGUID=X supports passkeys but not devicePubKey extension, RPs can exclude passkeys from all the phones with with AAGUID=X. If 10 million customers of a RP are using the phones with AAGUID=X, the RP cannot enable webauthn for all the 10 million customers. This will be a big problem for their businesses.

If the phone supports passkeys and devicePubKey extenstion, RPs can enable webAuthn for the 10 million customers using devicePubKey extension if the reason is mainly due to security of passkeys.

So I think unique AAGUID will help RPs but not quite address my problem.

RPs want to find if a credential is a cloud synced credential or not when they receive one. I wonder if unique AAGUID may help solve that problem?

GitHub Notification of comment by maxhata
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1691#issuecomment-1017479356 using your GitHub account

Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 20 January 2022 12:55:30 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:45 UTC