W3C home > Mailing lists > Public > public-webauthn@w3.org > January 2022

Re: [webauthn] devicePubKey extension MUST be supported if multi-device WebAuthn credentials are used (#1691)

From: David Waite via GitHub <sysbot+gh@w3.org>
Date: Wed, 26 Jan 2022 06:08:42 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1021895243-1643177321-sysbot+gh@w3.org>
> Will all those people who have invested in web/mobile applications never have to change their web/mobile apps when Level-3 is standardized if they do not wish to support synchronized key-pairs/credentials?

This extension is meant to give RPs an additional signal to let them accept authenticators that their policy would otherwise deny. It is meant to allow RPs a means to implement more expressive policies.

If an RP policy is to always reject authenticators based on their key-storage properties there's no reason to use this extension at all. Of course, to implement that policy today they need attestations, and will continue to need them in the future.

If instead the policy is extended to accept certain authenticators but to invoke user-facing workflow when the authentication may be coming from new hardware, the onus of providing support for that new workflow would fall onto the user-facing portion of the RP (a web application I believe in your example).

-- 
GitHub Notification of comment by dwaite
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1691#issuecomment-1021895243 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 26 January 2022 06:08:44 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:38:44 UTC