- From: Arnar Birgisson via GitHub <noreply@w3.org>
- Date: Mon, 27 Oct 2025 20:08:06 +0000
- To: public-webauthn@w3.org
>> A credential manager that supports CMTG Keys will always return one if requested. > I don't think this should be the case: > - An implementation that exchanges information related to the (non) remoteness of devices with a server component may not be able to produce a CMTG key if the network is down (but can otherwise produce a WebAuthn credential). That's a good point. I'm not sure returning no CMTG is the better course of action here rather than generate a new one though. Either way it seems the RP would behave the same, and the only implication is that if there is another sign-in before network to the provider is restored, then at least that second sign-in will carry some trust information and avoid e.g. another step-up. > - The UA may support CMTG, but perhaps the authenticator doesn't. I would prefer not to exclude those authenticators. CMTG should be seen as a "nice to have". "Credential manager" generally means an authenticator, not UA, so that line does not suggest that they should be excluded. If the user selects an authenticator (either directly on create, or implicitly on get by selecting a credential) that doesn't support CMTG, then none would be returned regardless of UA support. -- GitHub Notification of comment by arnar Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2338#issuecomment-3453102050 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 27 October 2025 20:08:07 UTC