Re: [webauthn] Discussing mechanisms for enterprise RP's to enforce bound properties of credentials (#1739)

I'll try articulate in my own words the requirement I raised in the F2F:

As an enterprise RP, I would like a way to signal to the browser during a registration ceremony, that a device-bound key is required. This offers the client browser an opportunity to tailor the UX around this requirement. I'm explicitly avoiding saying "how" this is signalled (although it has to be some property(s) of the registration request), but ultimately my RP policy is that I wish to know that a credential is bound to a device, and then subsequently be able to ensure this remains true for subsequent authentications.

-- 
GitHub Notification of comment by sbweeden
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1739#issuecomment-1151670633 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Thursday, 9 June 2022 22:10:37 UTC