W3C home > Mailing lists > Public > public-webauthn@w3.org > June 2022

Re: [webauthn] Discussing mechanisms for enterprise RP's to enforce bound properties of credentials (#1739)

From: Firstyear via GitHub <sysbot+gh@w3.org>
Date: Sat, 18 Jun 2022 23:10:40 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1159579781-1655593838-sysbot+gh@w3.org>

> The case _without_ DPK is not as good, as the RP couldn't distinguish first-time use of the credential on a device from subsequent credential usage on a device - losing the ability to detect _strong_ (in the sense of FIDO before Passkeys) device binding.

There is difference in how DPK works for registration vs authentication. We want to block keys at *registration* so the features of DPK which are around attesting via authentication flows isn't relevant. 

> 
> --> back to my previous opinion that DPK support would be sufficient for Enterprise RPs.

It's not. 

Erroring "after" registration and trying to communicate why that error occurred is a terrible process. It will frustrate users.  This is basic elements of human interaction psychology that we need to introduce a *constraint* before the process to prevent the user making the error in the first place. 

-- 
GitHub Notification of comment by Firstyear
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1739#issuecomment-1159579781 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Saturday, 18 June 2022 23:10:41 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:46 UTC