Re: [webauthn] Requirements for security of MDC, DPK and attestation (#1808) from Shane Weeden via GitHub on 2022-09-24 (public-webauthn@w3.org from September 2022)

From: Shane Weeden via GitHub <sysbot+gh@w3.org>
Date: Sat, 24 Sep 2022 12:25:25 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1256957090-1664022323-sysbot+gh@w3.org>

I concur with the requirements. Many RPs want the one-touch-and-done strong authentication UX that attested, device-bound credentials offer. The spec itself is unlikely to influence whether or not these requirements will ever be met unless certain features, particularly attestation of all authenticators (including platform), are made mandatory-to-implement. Additionally, RPs want to be able to have more influence over the clients credential creation process. At present the opposite is true - the client decides what happens, and RPs are required to adapt to the result.

-- 
GitHub Notification of comment by sbweeden
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1808#issuecomment-1256957090 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Saturday, 24 September 2022 12:25:26 UTC