Re: Upcoming changes to Chrome’s WebAuthn implementation (Chrome 112 / 113) from Adam Langley on 2023-03-10 (public-webauthn@w3.org from March 2023)

From: Adam Langley <agl@google.com>
Date: Fri, 10 Mar 2023 11:41:36 -0800
To: John Bradley <jbradley@yubico.com>
Cc: DUBOUCHER Thomas <thomas.duboucher@thalesgroup.com>, Martin Kreichgauer <martinkr@google.com>, W3C Web Authn WG <public-webauthn@w3.org>, "public-webauthn-adoption@w3.org" <public-webauthn-adoption@w3.org>
Message-ID: <CAL9PXLy_uaUo+RrZtwbc4krTHYkznNe4BS4z+6zm9HG26M3bDw@mail.gmail.com>

On Fri, Mar 10, 2023 at 7:02 AM John Bradley <jbradley@yubico.com> wrote:

> I don’t think this really breaks anything in practice.  RP can however
> will need to set uv discouraged on make if they set it on get.
>

I just want to highlight something from the linked documentation: if the RP
sets an explicit credProtect level in the WebAuthn request, that overrides
any of these defaults. The defaults are intended to
prevent unpleasant surprises, but RPs don't have to accept them.

Cheers

AGL

Received on Friday, 10 March 2023 19:42:06 UTC