Re: [webauthn] Enforce backup eligibility during assertion (#1791) from Firstyear via GitHub on 2023-04-24 (public-webauthn@w3.org from April 2023)

From: Firstyear via GitHub <sysbot+gh@w3.org>
Date: Mon, 24 Apr 2023 00:42:22 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1519222403-1682296940-sysbot+gh@w3.org>

It's here:

https://w3c.github.io/webauthn/#backup-eligibility

"""
A [Public Key Credential Source](https://w3c.github.io/webauthn/#public-key-credential-source)'s [generating authenticator](https://w3c.github.io/webauthn/#generating-authenticator) determines at creation time whether the [public key credential source](https://w3c.github.io/webauthn/#public-key-credential-source) is allowed to be [backed up](https://w3c.github.io/webauthn/#backed-up). Backup eligibility is signaled in [authenticator data](https://w3c.github.io/webauthn/#authenticator-data)'s [flags](https://w3c.github.io/webauthn/#authdata-flags) along with the current [backup state](https://w3c.github.io/webauthn/#backup-state). Backup eligibility is a [credential property](https://w3c.github.io/webauthn/#credential-properties) and is permanent for a given [public key credential source](https://w3c.github.io/webauthn/#public-key-credential-source). A backup eligible [public key credential source](https://w3c.github.io/webauthn/#public-key-credential-source) is referred to as a multi-device credential whereas one that is not backup eligible is referred to as a single-device credential. See also [§ 6.1.3 Credential Backup State](https://w3c.github.io/webauthn/#sctn-credential-backup).
"""

As we can see the text is the same, and indicates that BE is a *creation* only property, and is also permanent for the life of the credential. This means that if BE is only sent at credential create and later changes then implementations may not signal it to RP's.

As a result, my view is that BE/BS are properties that should be sent both during creation (attestation) and authentication (assertion) so that if a vendor changes their BE state then RP's are able to see this during the life of a credential because these states are *not* permanent - they are actually dynamic and changing on some implementations. 

-- 
GitHub Notification of comment by Firstyear
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1791#issuecomment-1519222403 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Monday, 24 April 2023 00:42:24 UTC