Re: [webauthn] Hybrid transport opt-out and ability for verifiable proof (#2349) from Tim Cappalli via GitHub on 2025-10-24 (public-webauthn@w3.org from October 2025)

From: Tim Cappalli via GitHub <noreply@w3.org>
Date: Fri, 24 Oct 2025 16:50:55 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-3444066545-1761324653-noreply@w3.org>

> But since the authenticator knows how it's communicating with the client,

That is only the case for traditional authenticators using external transports (USB, NFC, Bluetooth), not for software-based credential managers.

> To me this feels different than a compromised client. 

I brought this up because you mentioned wanting to sign attributes relating to the transports. That seems to stem from the assumption that you don't trust the client.

-- 
GitHub Notification of comment by timcappalli
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2349#issuecomment-3444066545 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Friday, 24 October 2025 16:50:56 UTC