> Perhaps wild suggestion. If an RP requests direct attestation, why wouldn't the platforms offer a device-bound credential in this case? There's the use case where an RP wants to collect attestation for future use, but doesn't care whether it's device-bound, UV capable, cross-platform, or whatever. For example, to warn users if a security issue is discovered in a particular authenticator model. I don't think we should impose a device-bound-ness preference on that use case. -- GitHub Notification of comment by emlun Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1739#issuecomment-1151687257 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-configReceived on Thursday, 9 June 2022 22:41:37 UTC
This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:46 UTC