Re: [webauthn] devicePubKey extension MUST be supported if multi-device WebAuthn credentials are used (#1691) from Tim Cappalli via GitHub on 2022-01-25 (public-webauthn@w3.org from January 2022)

From: Tim Cappalli via GitHub <sysbot+gh@w3.org>
Date: Tue, 25 Jan 2022 15:40:24 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1021319218-1643125223-sysbot+gh@w3.org>

> This is why dpk should always be provided if multi-device WebAuthn credentials are provided. They are inseparable companion features to ensure backward compatibility on the security model where the credentials were bound to devices. It is disappointing if WebAuthn cannot mandate such an important issue.

@maxhata, please be sure to take a look at the pull request for [devicePublicKey](https://github.com/w3c/webauthn/pull/1663), specifically the `scope` parameter. The DPK may be more specific than just device-level on some platforms.

-- 
GitHub Notification of comment by timcappalli
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1691#issuecomment-1021319218 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Tuesday, 25 January 2022 15:40:26 UTC