- From: Arshad Noor via GitHub <sysbot+gh@w3.org>
- Date: Wed, 26 Jan 2022 03:54:15 +0000
- To: public-webauthn@w3.org
Seriously, folks?? It would seem to me, that when dozens to hundreds of FIDO manufacturers have invested years into implementing FIDO solutions with certain security notions, as a courtesy to all that effort and investments - and to instill the principle of "**secure by default**" - the DEFAULT for a FIDO credential should ALWAYS be a hardware-bound key-pair, with NO possibility of ever extracting, copying, cloning, moving, synchronizing or backing up that key-pair to anything, anywhere. If new entrants to the market desire convenience and are willing to sacrifice security for that illusory benefit, **then** those people/companies should bear the burden of new extension request and response processing, and dealing with the ensuing complexity. Why should the people/companies who have invested more than 7 years into building "secure by default" FIDO solutions have to perform ANY additional work _just to maintain_ what they always believed the FIDO value-proposition would be? -- GitHub Notification of comment by arshadnoor Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1691#issuecomment-1021837168 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 26 January 2022 03:54:17 UTC