- From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
- Date: Mon, 27 Feb 2023 12:27:56 +0000
- To: public-webauthn@w3.org
> * "or fmt" seems to be wrong here, because _matchedDpkRecords_ was built using only _aaguid_, _dpk_, and _scope_ for equality. The difference in _fmt_ is covered in the preceding paragraph. You're right, the matching and the "Otherwise" description went out of sync in commit 5af393d40ff4275a343cb7b7cec19ac6876045be. I'll add this fix to PR #1858. > 2\. It is implied here that during the lifetime of the DPK neither _aaguid_ or _scope_ can change. It is beneficial, I think, to state it explicitly somewhere (my apology if it is and I missed it). Otherwise it is reasonable for an RP to assume that after some platform authenticator update (and maybe certification) the _aaguid_ can change for the existing DPK. I think most would expect that `aaguid` won't change since that is the case for top-level credentials, so I don't think that needs to be called out more explicitly than the verification steps make it. I would expect `scope` to be an immutable credential property as well, but I could see a case for adding some mention of this in the CDDL comments defining `attObjForDevicePublicKey`. But I also think it is unambiguous enough as is. @agl thoughts on this? -- GitHub Notification of comment by emlun Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1853#issuecomment-1446243647 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 27 February 2023 12:27:57 UTC