Re: [webauthn] Authenticator flag to indicate internal knowledge of rk (discoverable credential creation). (#1761) from Tim Cappalli via GitHub on 2022-07-06 (public-webauthn@w3.org from July 2022)

From: Tim Cappalli via GitHub <sysbot+gh@w3.org>
Date: Wed, 06 Jul 2022 19:27:34 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1176595587-1657135652-sysbot+gh@w3.org>

> The new `BE` flag in L3 signals whether the credential is hardware-bound to the secure element (when combined with an appropriate attestation).

I disagree with this statement. The `BE` flag means that the key is allowed to be backed up. It does not make any statements about the storage of the key or its security properties.

As mentioned in the original PR comments, these bits are designed to drive business logic and user experiences, not convey authenticator security properties.

-- 
GitHub Notification of comment by timcappalli
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1761#issuecomment-1176595587 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 6 July 2022 19:27:36 UTC