- From: Firstyear via GitHub <noreply@w3.org>
- Date: Fri, 10 Oct 2025 00:49:06 +0000
- To: public-webauthn@w3.org
Having read the proposal I feel that there are too many vague elements in this proposal. In the proposal, it states: > Why doesn't the credential manager simply attest to the device trustedness? Device trustworthiness is a complex issue, and we think it is outside the scope of passkey credential managers (and possibly FIDO2/WebAuthn in general) to define the criteria for this. However, this is precisely what the proposal is - a method to assert trustworthiness of the remote passkey store. Phishing resistance is one aspect of trustworthiness when it comes to a private key store, as is use of a secure enclave and other requirements. Similar, this proposal will still need to rely on a way to assert trustworthiness of the relationship public key source. Effectively this has created "neighbour attestation" where you may not attest my password manager, but my password manager is proving it's trust via attesting my fido key was used to authenticate to it. There still must be some form of device trust built in this process, and that should be documented in this proposal so that it's whole value and user experience can be understood by the workgroup. I don't believe it is clear what the user interaction would be with this extension. Would I use my password manager and during passkey creation/assertion also need to interact with my fido key to provide this trust relationship? In this case, what value did the password manager provide when I could have just directly authenticated with my fido key? I think that this proposal is missing critical elements - the process of trusting a relationship public key, and an assessment of the user experience. Additionally, this seems to be a complex solution to a problem that we already have a solution for - if you need to assert the trustworthiness of a password manager, we have attestation for this. -- GitHub Notification of comment by Firstyear Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2338#issuecomment-3387896209 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Friday, 10 October 2025 00:49:07 UTC