Re: [webauthn] Adding some sentences to describe credential sharing between multiple users (#1921) from Shane Weeden via GitHub on 2023-08-17 (public-webauthn@w3.org from August 2023)

From: Shane Weeden via GitHub <sysbot+gh@w3.org>
Date: Thu, 17 Aug 2023 01:12:57 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1681463295-1692234776-sysbot+gh@w3.org>

My perspective is that WebAuthn as a spec deals with clients (browsers) and RP (servers) processing rules, and doesn't have any influence over how an authenticator protects/manages/shares credentials beyond what might be indirectly conveyed via attestation, and the associated promises the authenticator vendor might make associated with that. As such I'd consider any notion of credential sharing is outside the scope of the WebAuthn specification. Ultimately if those things are of concern to a deployer, then attestation should be requested and RP policy dictates what happens next.

-- 
GitHub Notification of comment by sbweeden
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1921#issuecomment-1681463295 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Thursday, 17 August 2023 01:13:00 UTC