Re: [webauthn] devciePubKey extension MUST be supported if passkey is supported (#1691) from Max Hata via GitHub on 2022-01-23 (public-webauthn@w3.org from January 2022)

From: Max Hata via GitHub <sysbot+gh@w3.org>
Date: Sun, 23 Jan 2022 12:36:17 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1019476409-1642941375-sysbot+gh@w3.org>

Multi-device WebAuthn credentials that are syncable and devicePubKey extension are an inseparable pair, where devicePubKey extension is a fallback.

Multi-device WebAuthn credentials is synced with cloud of a party, e.g., a platform vendor, whose cloud security is not known to RPs. So some RPs cannot accept such cloud synced multi-device WebAuthn credentials, despite the convenience that it offers. For them, devicePubKey is the mechanism not to accept cloud synced multi-device WebAuthn credentials with unknown security unconditionally, but to accept them after their own verification to ensure the security of the RP's accounts.

-- 
GitHub Notification of comment by maxhata
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1691#issuecomment-1019476409 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Sunday, 23 January 2022 12:36:18 UTC