Re: [webauthn] Discussing mechanisms for enterprise RP's to enforce bound properties of credentials (#1739) from Firstyear via GitHub on 2022-06-13 (public-webauthn@w3.org from June 2022)

From: Firstyear via GitHub <sysbot+gh@w3.org>
Date: Mon, 13 Jun 2022 01:11:20 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1153351580-1655082676-sysbot+gh@w3.org>

> Perhaps refine this to "hint to the client to guide UX during the registration ceremony, that non-device-bound keys would ultimately be rejected by the relying party"?

Any hint we add should have a direct relation to a flag in the registration process, such as the backup bits. A historical pain point for example is requesting resident keys, where there is no verifiable signal in response that an RK was actually created. So it would be good if we paired both the *hint* to the UX, with what the signed and attested response fields are so the RP can verify that the hint was followed and respected. 

-- 
GitHub Notification of comment by Firstyear
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1739#issuecomment-1153351580 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Monday, 13 June 2022 01:11:22 UTC