Emil Lundberg
Emil Lundberg
I wasn't around when these terms were chosen, but anyway: Some context here is that WebAuthn is, formally speaking, an extension to the [Credential Management](https://w3c.github.io/webappsec-credential-management/) spec. That's where the first...
I'll echo Shane's initial point: the user verification requirement is a property of the _ceremony_, not of a credential. For example, one might allow both UV and a conventional password...
There is such a facility in drafts of CTAP2.1, but I don't think they're publicly available yet. update 20-Jan-2021: [CTAP2.1 RD-02 was recently publicly published](https://fidoalliance.org/specs/fido-v2.1-rd-20201208/fido-client-to-authenticator-protocol-v2.1-rd-20201208.html)
Do you mean that it would be backwards-compatible even with authenticators that do not themselves support per-credential UV policies? I would guess that is not viable, no. But at least...
Thanks. This is touched on in the definition of [WebAuthn Relying Party](https://w3c.github.io/webauthn/#webauthn-relying-party): >[...] Communication between the two components MUST use HTTPS or equivalent transport security, but is otherwise beyond the...
On 2022-05-18 WG call: we should also point out that RPs need to make sure their subdomains are sufficiently secured too. For example, if users can run arbitrary script on...
Thanks, that's a good point. The concern is that the [scope](https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#scope) of a credential extends to parent domains, which means script on for example `usercontent.example.org` could exercise credentials scoped to...
I'd be happy to take this on. I propose that - For (1) we simply remove the "non-normative" claim and keep the normative SHOULDs in the list. - For (2)...
Adding on to this, Bikeshed is reporting errors with the new text: ``` FATAL ERROR: Line 984 isn't indented enough (needs 1 indent) to be valid Markdown: " is allowed...
> 1. I thought this kind of stuff had to be non-normative as they're more or less examples of usage. Yeah, it doesn't strictly have to, but I can agree...