W3C home > Mailing lists > Public > public-webauthn@w3.org > January 2022

Re: [webauthn] devciePubKey extension MUST be supported if passkey is supported (#1691)

From: Arshad Noor via GitHub <sysbot+gh@w3.org>
Date: Thu, 20 Jan 2022 14:24:16 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1017558439-1642688655-sysbot+gh@w3.org>
I do not believe a separate AAGUID is necessary for Passkey-like solutions (where the private-key and credential are portable across devices); there is an easier solution available within the protocol.

I recommend that one of the bits in [_authenticatorData_](https://www.w3.org/TR/webauthn-2/#authenticator-data) - say, Bit 3 - be used to indicate that the credential with its private-key is portable across devices/authenticators. If Bit 3 is set, the credential and its private-key **are** portable across devices; if it is NOT set, the credential and its private-key are bound to the device on which the key-pair was generated. 

Regardless of AAGUID, an RP will be able to determine, at registration time, whether the credential and its private-key are device-bound or portable. This is easier and faster than having to process an extension (which will also carry additional baggage in the registration response from the authenticator).

GitHub Notification of comment by arshadnoor
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1691#issuecomment-1017558439 using your GitHub account

Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 20 January 2022 14:24:18 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:45 UTC