Re: [webauthn] Authenticator flag to indicate internal knowledge of rk (discoverable credential creation). (#1761) from John Bradley via GitHub on 2022-07-05 (public-webauthn@w3.org from July 2022)

From: John Bradley via GitHub <sysbot+gh@w3.org>
Date: Tue, 05 Jul 2022 04:03:45 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1174581917-1656993823-sysbot+gh@w3.org>

Resident doesn’t mean hardware bound. They are different properties.  

At the CTAP layer the resident true flag requires the authenticator to make a discoverable credential (one that can be used without an allow list). 

A security key could easily make non discoverable credentials roaming.  Just because Google may choose to make non discoverable credentials hardware bound we should not confuse the issue by making that part of the spec.  

We all ready have a bit flag for backupable which is not hardware bound.  

That is set to 1 if the credential can be backed up.  How is that different from the flag you are looking for?

No flags can be trusted without an attestation, but that is a separate issue.  

-- 
GitHub Notification of comment by ve7jtb
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1761#issuecomment-1174581917 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Tuesday, 5 July 2022 04:03:47 UTC