W3C home > Mailing lists > Public > public-webauthn@w3.org > June 2022

Re: [webauthn] Discussing mechanisms for enterprise RP's to enforce bound properties of credentials (#1739)

From: Firstyear via GitHub <sysbot+gh@w3.org>
Date: Mon, 13 Jun 2022 01:11:20 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1153351580-1655082676-sysbot+gh@w3.org>
> Perhaps refine this to "hint to the client to guide UX during the registration ceremony, that non-device-bound keys would ultimately be rejected by the relying party"?

Any hint we add should have a direct relation to a flag in the registration process, such as the backup bits. A historical pain point for example is requesting resident keys, where there is no verifiable signal in response that an RK was actually created. So it would be good if we paired both the *hint* to the UX, with what the signed and attested response fields are so the RP can verify that the hint was followed and respected. 

GitHub Notification of comment by Firstyear
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1739#issuecomment-1153351580 using your GitHub account

Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 13 June 2022 01:11:22 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:46 UTC