Re: [webauthn] devicePubKey → supplementalPubKeys (#1957)

This raises the question of if we want to keep the added complexity of attestation over the challenge for the primary key on get?   
The key is either hardware bound, so it won't change from makeCredential, or effectively unbound and can come from anyone's device or account making attestation duplicative with the proposed supplementalPubKeys extension.  On getAssertion it is the supplementalPubKeys extension that carries the useful info.   I think I would rather roll back the attestation on get, and allow all authenticators to return the supplementalPubKeys extension.   If the primary key is hardware bound a security key could return values in the extension that would help the RP understand that or at least not throw up risk signals.  

-- 
GitHub Notification of comment by ve7jtb
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/1957#issuecomment-1706988117 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Tuesday, 5 September 2023 17:03:47 UTC