David Waite

icon indicating a website link http://blog.alkaline-solutions.com icon indicating an email [email protected]

icon company Alkaline Solutions icon location Denver, CO, USA

Results 102 comments of David Waite

Project status

I would. I had been working on support for [RFC 6265](https://tools.ietf.org/html/rfc6265), which got involved enough to push for some components to be rewritten. But that work obviously stalled.

Normative definition of credentialSubject including legal types

Several realizations of credentials (e.g. leveraging anonymizing techniques like link secrets) will often only have a way for a single subject to prove knowledge/possession. The non-normative example of a "bearer"...

Normative definition of credentialSubject including legal types

The reality is that there are several decisions (including those as part of privacy considerations) which will prevent a full fidelity expression of the data model being exchanged between parties....

Cleanup when creating discoverable credentials with attestations

> But, bringing it to the attention of Authenticator manufacturers in the FIDO-DEV forum might be worthwhile as the FIDO Alliance could also initiate such an effort outside the purview...

Cleanup when creating discoverable credentials with attestations

Yes, what I was thinking was something similar to this: 1. best-effort cleanup of credentials the site does not understand 2. eliminating edge cases that create spurious credentials when possible....

Syncing Platform Keys, Recoverability and Security levels

@cyberphone There is a technology preview by Apple which uses a secret/private key synchronization mechanism to synchronize PublicKeyCredentials (including private key) across devices. A single registered credential could be used...

Syncing Platform Keys, Recoverability and Security levels

@rmondello my understanding is that there is a caveat however: the supported API for keychain (e.g [kSecAttrSynchronizable](https://developer.apple.com/documentation/security/ksecattrsynchronizable)) and the Apple Platform Security guide have not yet been updated to reflect...

Syncing Platform Keys, Recoverability and Security levels

@certainlyNotHeisenberg I believe it is meant to be two-factor (possession and knowledge based) for circle membership, hence the unhighlighted part of the two signatures in this particular step. I'll let...

Requiring user activation to call WebAuthn API

> I have had other SaaS start to complain about this Ping etc. Correct. We had no expectation that this WebKit-only behavior would expand from platform authenticators to all authenticators....

Device-bound key extension

> > ...(I'm also inclined to rename it, say, "cntx"). [...] Though, one could also argue that "scope" better reflects the connotations here: > > I think `ctx` is a...