Re: [webauthn] Authenticator flag to indicate internal knowledge of rk (discoverable credential creation). (#1761) from Emil Lundberg via GitHub on 2022-07-06 (public-webauthn@w3.org from July 2022)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Wed, 06 Jul 2022 15:03:07 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1176334068-1657119783-sysbot+gh@w3.org>

I believe @ve7jtb's assessment is still accurate. The new `BE` flag in L3 signals whether the credential is hardware-bound to the secure element (when combined with an appropriate attestation). It does not differentiate whether the private key storage is internal or wrapped external (i.e., encoded into the credential ID), but those two should not be considered different in terms of security strength.

Although the definition of [backup eligibility](https://w3c.github.io/webauthn/#backup-eligibility) and a single-device credential doesn't currently specify that single-device credentials should be hardware-bound to a secure element if the authenticator has one. Perhaps we should explicitly state this expectation in the definition.

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1761#issuecomment-1176334068 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 6 July 2022 15:03:12 UTC