- From: Andrey Paramonov via GitHub <sysbot+gh@w3.org>
- Date: Fri, 24 Feb 2023 22:57:44 +0000
- To: public-webauthn@w3.org
While we are in this place of the spec, a couple of things about this paragraph > Otherwise there is some form of error: we recieved a known dpk value, but one or more of the accompanying aaguid, scope, or fmt values did not match what the Relying Party has stored along with that dpk value. Terminate these verification steps. 1. "or fmt" seems to be wrong here, because _matchedDpkRecords_ was built using only _aaguid_, _dpk_, and _scope_ for equality. The difference in _fmt_ is covered in the preceding paragraph. 2. It is implied here that during the lifetime of the DPK neither _aaguid_ or _scope_ can change. It is beneficial, I think, to state it explicitly somewhere (my apology if it is and I missed it). Otherwise it is reasonable for an RP to assume that after some platform authenticator update (and maybe certification) the _aaguid_ can change for the existing DPK. -- GitHub Notification of comment by ndpar Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1853#issuecomment-1444621625 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Friday, 24 February 2023 22:57:46 UTC