- From: Arshad Noor via GitHub <sysbot+gh@w3.org>
- Date: Thu, 20 Jan 2022 14:24:16 +0000
- To: public-webauthn@w3.org
I do not believe a separate AAGUID is necessary for Passkey-like solutions (where the private-key and credential are portable across devices); there is an easier solution available within the protocol. I recommend that one of the bits in [_authenticatorData_](https://www.w3.org/TR/webauthn-2/#authenticator-data) - say, Bit 3 - be used to indicate that the credential with its private-key is portable across devices/authenticators. If Bit 3 is set, the credential and its private-key **are** portable across devices; if it is NOT set, the credential and its private-key are bound to the device on which the key-pair was generated. Regardless of AAGUID, an RP will be able to determine, at registration time, whether the credential and its private-key are device-bound or portable. This is easier and faster than having to process an extension (which will also carry additional baggage in the registration response from the authenticator). -- GitHub Notification of comment by arshadnoor Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1691#issuecomment-1017558439 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 20 January 2022 14:24:18 UTC