- From: philomathic_life via GitHub <sysbot+gh@w3.org>
- Date: Thu, 28 Nov 2024 01:40:55 +0000
- To: public-webauthn@w3.org
Here is a real-world example that is potentially caused from this directive. When an iPhone is used as an authenticator, it _only_ creates client-side/"resident" credentials. If one uses Chromium on a separate device to register a credential on the iPhone using `false` for `AuthenticatorSelectionCriteria.requireResidentKey` and `"discouraged"` for `AuthenticatorSelectionCriteria.residentKey` and passes the `credProps` extension, Chromium outputs `false` for `CredentialPropertiesOutput.rk`. This is clearly incorrect. Perhaps if the directive aligned with the notes, then Chromium would instead omit the property entirely rather than assign an incorrect value. I also understand that `credProps` is largely useless since it's unlikely a client or user agent could ever know definitively if a client-side credential were created unless `requireResidentKey` is `true` making the only possible outputs `true` or missing; however that's better than giving a directive that causes the wrong value to be assigned sometimes. Perhaps the extension should be removed altogether; but until then, it's better for the notes, IDL and ouput directions to align. -- GitHub Notification of comment by zacknewman Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2213#issuecomment-2505102363 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 28 November 2024 01:40:56 UTC