- From: Firstyear via GitHub <sysbot+gh@w3.org>
- Date: Thu, 27 Jul 2023 09:04:56 +0000
- To: public-webauthn@w3.org
The problem is that backup implies synchronisation here. I think the original flags should have been "sync capable" and "sync active". BS was always intended to be a "user interaction hint" to say "oh maybe you should enable another credential since you current one isn't synced and you should have more than one credential". And if we reverse this lets say I backup my credential and then restore it to a second device. Now I have two copies of that credential, but the "sync" flag isn't set since the second credential believes it was a restore from backup rather than a sync. Yet, now we have two copies of the authenticator, that are indistinguishable. In this case, security conscious providers need to assume BE implies sync even if BS isn't set. In summary, there is no sync without backup. If you can have a backup, it implies sync. BS just says if the sync is currently active or not. -- GitHub Notification of comment by Firstyear Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1933#issuecomment-1653203415 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 27 July 2023 09:04:58 UTC