- From: Thomas Duboucher via GitHub <sysbot+gh@w3.org>
- Date: Wed, 30 Mar 2022 20:06:22 +0000
- To: public-webauthn@w3.org
> The suggestion here is to offer RPs an option to indicate a preference for (not) syncing. This would allow implementations to invoke alternative behavior without requiring user intervention (for implementations that make sync capability a user choice via opt-in or opt-out, per credential or globally). As mentioned, some institutions are required by regulations to properly implement identity proofing. This extends to account recovery, and device syncing. Those institutions will either: - manually vet each vendor's implementation of device syncing, and accept them if they follow the required regulations, - or reject any device sync mechanism that do not meet regulations, or all because they don't want to invest too much time. My guess is that the implementation considerations that will be provided will be to either: - go to a locked ecosystem where each vendor is vetted individually, - or go to an open ecosystem where every sufficiently certified device is allowed, and DPK is always requested to trigger an explicit device sync flow: either reject the attempt because a new device is detected, or trigger the explicit enrolment of the new device through its DPK. -- GitHub Notification of comment by serianox Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1714#issuecomment-1083573626 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 30 March 2022 20:06:26 UTC