W3C home > Mailing lists > Public > public-webauthn@w3.org > June 2022

Re: [webauthn] Discussing mechanisms for enterprise RP's to enforce bound properties of credentials (#1739)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Thu, 09 Jun 2022 22:41:36 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1151687257-1654814494-sysbot+gh@w3.org>
> Perhaps wild suggestion. If an RP requests direct attestation, why wouldn't the platforms offer a device-bound credential in this case?

There's the use case where an RP wants to collect attestation for future use, but doesn't care whether it's device-bound, UV capable, cross-platform, or whatever. For example, to warn users if a security issue is discovered in a particular authenticator model. I don't think we should impose a device-bound-ness preference on that use case.

GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1739#issuecomment-1151687257 using your GitHub account

Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 9 June 2022 22:41:37 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:46 UTC