- From: John Bradley via GitHub <sysbot+gh@w3.org>
- Date: Mon, 24 Jan 2022 03:54:45 +0000
- To: public-webauthn@w3.org
I agree that authenticators that support multi device web authn credentials should support dpk. However, WebAuthn is not the place to enforce that. WebAuthn is a browser API and not an authenticator specification. We have a grey area because it is possible to define WebAuthn extensions that CTAP2 authenticators may support. Nothing can be trusted from an RP perspective without some trusted attestation. The proper place to define this is the Fido SPWG. That is where the requirement to implement dpk or other extensions can be generally enforced and published in meta-data for RP. I am not particularly concerned about the big 3 platform authenticators they will support dpk and be certified or have a large enough base that RP will hard code their attestations and make decisions to trust them or not. The certification requirement is mostly for all the other authenticators that will implement multi-device strategies to compete in the consumer market. We are opening a can of worms here for more than just platform authenticators. I do think we need something separate from dpk as well to indicate if a credential is multi device and if it has been backed up/ durable or whatever we are going to call it. dpk is in itself not a sufficient flag, nothing will stop authenticators that are not multi device from also supporting dpk, and even if they are multi device capable that dosen;t mean that the credential is backed up. At the end of the day one of our goals in the consumer space is to allow RP to remove passwords as an authentication method. -- GitHub Notification of comment by ve7jtb Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1691#issuecomment-1019690587 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 24 January 2022 03:54:47 UTC