- From: Firstyear via GitHub <sysbot+gh@w3.org>
- Date: Fri, 01 Dec 2023 23:01:20 +0000
- To: public-webauthn@w3.org
> so tell me, why do we need to create in js a random number for this, if there is practically no attestation logic we want or even if we want, apple simply does not implement it? why is it REQUIRED? If you don't make it required people won't do it. It allows a registration to enforce that the registration we are being sent is genuine and related to the caller that initiated the registration call. It prevents replays. > if it wants to win, it has to be backupable... This is why RP's allow you to register *multiple credentials*. You aren't backing up a single private key. You enroll multiple keys, and can individually revoke them in the case of loss. > I can tell you now that an avergae RP will not want this and even if wanted, This is why you use libraries like https://docs.rs/webauthn-rs/0.4.8/webauthn_rs/ which does everything for you and has been through security audits to ensure properly handling of credentials. There are genuine issues in the Webauthn space, but they are not the ones you are raising here. I think this conversation has gone far enough though. -- GitHub Notification of comment by Firstyear Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1915#issuecomment-1836890139 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Friday, 1 December 2023 23:01:22 UTC