- From: David Waite via GitHub <sysbot+gh@w3.org>
- Date: Sun, 23 Jan 2022 18:38:13 +0000
- To: public-webauthn@w3.org
The spec states as such in several places (emphases mine): > > https://www.w3.org/TR/webauthn-2/#credential-key-pair > > > A credential private key is the private key portion of a credential key pair. The credential private key is **bound** to a particular authenticator - its managing authenticator - and is expected to never be exposed to any other party, not even to the owner of the authenticator. To an authenticator, which in this case is software with cloud storage. Whether it is software with cloud storage or a USB key or local platform TPM only is only really determinable to the relying party via attestations. Without platforms/browsers taking position on what implementation details are required and doing a vendor deny list, the ability to determine if an implementation meets such a requirement is via manufacturer-asserted or certification-body-asserted attestations. Directly issuing certification requirements is something which we have not done so far, and is a different ‘type’ of work IMHO better left to other groups when possible. -- GitHub Notification of comment by dwaite Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1691#issuecomment-1019542360 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Sunday, 23 January 2022 18:38:14 UTC