[webauthn] Pull Request: Define RP processing of be and bs flags during `.create()` and `.get()` from Matthew Miller via GitHub on 2023-06-14 (public-webauthn@w3.org from June 2023)

From: Matthew Miller via GitHub <sysbot+gh@w3.org>
Date: Wed, 14 Jun 2023 22:24:50 +0000
To: public-webauthn@w3.org
Message-ID: <pull_request.opened-1393158288-1686781487-sysbot+gh@w3.org>

MasterKale has just submitted a new pull request for https://github.com/w3c/webauthn:

== Define RP processing of be and bs flags during `.create()` and `.get()` ==
The spec was light on details on how to handle a couple of states of the `be` and `bs` flags coming out of calls to `.create()` and `.get()`. This PR tries to clarify RP handling of these potential bad scenarios:

1. A device-bound credential does not indicate that it is backed up during registration (`be:0+bs:1`)
2. A device-bound credential does not claim that it is backed up after authentication (`be:0+bs:1`)
3. A credential's backup eligibility does not change after registration (`be:0 -> be:1` or `be:1 -> be:0`)

This should address #1791.


See https://github.com/w3c/webauthn/pull/1907


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 14 June 2023 22:24:51 UTC