[webauthn] No way to verify requireResidentKey during registration step at RP side from Ki-Eun Shin via GitHub on 2018-09-10 (public-webauthn@w3.org from September 2018)

From: Ki-Eun Shin via GitHub <sysbot+gh@w3.org>
Date: Mon, 10 Sep 2018 12:03:03 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-358592184-1536580983-sysbot+gh@w3.org>

Kieun has just created a new issue for https://github.com/w3c/webauthn:

== No way to verify requireResidentKey during registration step at RP side ==
In order to allow authenticators having require resident key feature only due to security reasons, RP can set requireResidentKey as true when calling create request.

```
dictionary AuthenticatorSelectionCriteria {
    AuthenticatorAttachment      authenticatorAttachment;
    boolean                      requireResidentKey = false;
    UserVerificationRequirement  userVerification = "preferred";
};
```

Even platforms and browsers handle such parameters and may work correctly, from the view point of RP side, there is no way to verify whether credentials are really resident at authenticator side or not.
If the authenticator data includes requireResidentKey as a flag like UV and UP, RP can verify its value and integrity by verifying the signature.


Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1060 using your GitHub account

Received on Monday, 10 September 2018 12:03:06 UTC