- From: Adam Langley via GitHub <sysbot+gh@w3.org>
- Date: Tue, 05 Sep 2023 16:52:31 +0000
- To: public-webauthn@w3.org
> Couldn't this be solved by assertion-time attestation? "Hey I didn't get attestation during registration; please prove this key is hardware bound; my policy changed" sounds simpler from an implementation-POV Assertion-time attestation is for the primary key, but the primary key might not _be_ hardware bound, nor have the other properties that sites are interested in. Also, assertion-time attestation closes over the challenge, meaning that it has to be calculated for every assertion. The assertion for a supplemental key can be fixed and cached. (Doing an online assertion for every sign-in is a little fraught from both privacy and reliability perspectives. If a site wants a remote assertion for every sign in, they might want federation.) -- GitHub Notification of comment by agl Please view or discuss this issue at https://github.com/w3c/webauthn/pull/1957#issuecomment-1706972658 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Tuesday, 5 September 2023 16:52:33 UTC