Re: [webauthn] devicePubKey → supplementalPubKeys (#1957) from John Bradley via GitHub on 2023-09-11 (public-webauthn@w3.org from September 2023)

From: John Bradley via GitHub <sysbot+gh@w3.org>
Date: Mon, 11 Sep 2023 09:32:29 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1713519423-1694424747-sysbot+gh@w3.org>

@sbweeden I wasn't thinking of signaling a change of control based on device biometrics.   
I was thinking that the provider key would not be exported to a different subscriber account within the same provider.

I think that explicitly moving the credential into another subscribers account should not carry with it the provider scope key.   Or if it is carried arcoss we need a user scope where the supplemental key is unique to the combination of Account, RP, Provider.    

I think that a lot of RP will be forced via regulation to do some additional step up each login if they can't detect a change of subscriber account.
 

-- 
GitHub Notification of comment by ve7jtb
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/1957#issuecomment-1713519423 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Monday, 11 September 2023 09:32:32 UTC