- From: Adam Langley via GitHub <sysbot+gh@w3.org>
- Date: Mon, 11 Sep 2023 15:27:18 +0000
- To: public-webauthn@w3.org
> is it practical or possible for a provider to signal whether or not, from that provider's perspective, the user account (belonging to the passkey provider) exercising the credential has changed? What the provider-scoped key means depends on what the attestation says about it. There is certainly a lot of unpack there, but this aims to provide the mechanism to enable useful things to be said. > The point here is, are we satisfying real RP policy requirements with the proposals in this extension. We're trying! We have surveyed and spoken with a number of RPs in the finance & regulated space before proposing this. > I think that a lot of RP will be forced via regulation to do some additional step up each login if they can't detect a change of subscriber account. It's up to the providers to provide a sufficiently-strong statement in their attestation to be useful. Otherwise, RPs will just ignore it. Certainly several RPs have expressed that they might be able to use a provider statement that asserted a chain of trust based on a regulatorily-acceptable 2FA and a provider key is a vehicle for that. > Since both the provider and device key signatures are over assertion data input, I assume this means the provider signature does not protect the device key. It does: the device-scoped key is in the authenticator output and so is covered by the signature from the provider-scoped key. However, the attestation of the provider-scoped key likely only makes statements about that key. > Is there a way to know that the device key is coming from a device within a provider, vs having an intermediary which overrides and provides a consistent key across devices? The device-scoped key can have its own attestation to assert the device-boundedness of that key. -- GitHub Notification of comment by agl Please view or discuss this issue at https://github.com/w3c/webauthn/pull/1957#issuecomment-1714116808 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 11 September 2023 15:27:21 UTC