[webauthn] residentKey: "preferred-if-unlimited"? (#1822)

emlun has just created a new issue for https://github.com/w3c/webauthn:

== residentKey: "preferred-if-unlimited"? ==
## Description

There's a tricky wrinkle in the resident key requirement options: an RP may want to support username-less login flows, but worry that a resident key might consume limited storage on a user's authenticator, and not want to consume it if not necessary. Most notably, CTAP2.0 devices without support for CTAP2.1 credential management typically cannot delete resident keys without resetting the authenticator completely. Currently, there is no way for an RP to express a preference of "please create a resident key if possible, but not if it would consume limited storage space that can't be released without resetting the whole authenticator". Should there be?

Some other ideas for naming and meaning options:

- `residentKey: "indifferent" | "any"` - do whatever the authenticator prefers
- `residentKey: "weakly-preferred"` - do whatever the authenticator prefers (e.g., might prefer non-RK to save storage), but prefer RK if authenticator is indifferent
- `residentKey: "weakly-discouraged"` - do whatever the authenticator prefers (e.g., might prefer RK and cloud sync), but prefer non-RK if authenticator is indifferent


## Related Links

- [`residentKey: "preferred"`](https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#dom-residentkeyrequirement-preferred)

  >This value indicates the [Relying Party](https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#relying-party) strongly prefers creating a [client-side discoverable credential](https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#client-side-discoverable-credential), [...]

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1822 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 9 November 2022 10:51:37 UTC