Emil Lundberg

Interesting point. I agree that implicitly falling back to behaving as if `allowCredentials` were empty is clearly not what the RP intended, since that entails username-less authentication, but I also...

See also #1619: >We might consider adding methods similar to `getPublicKey()` if someone is willing to push for it [...] and #1362: >[...] use of ArrayBuffers is reflecting W3C direction...

> [...] Why not allow the RP to suggest in attestation options a richer set of acceptable authenticator properties? > > An extreme here might be an AAGUID allow-list [...]...

Fixed by #1778.

I believe @ve7jtb's assessment is still accurate. The new `BE` flag in L3 signals whether the credential is hardware-bound to the secure element (when combined with an appropriate attestation). It...

I didn't suggest _in addition_ to this, I suggested _instead of_ this. I think we should not entertain the misconception that wrapped keys are less secure than resident keys.

I don't know, to be honest, but I'm pretty sure it's not this spec. That seems to be about a better understanding of cryptography in general, rather than any particular...

Okay, here goes... :slightly_smiling_face: >* [#1270 (comment)](https://github.com/w3c/webauthn/pull/1270#discussion_r320888115) >> @equalsJeffH: I'm thinking we ought to formalize the term "re-authentication" ( "re-auth" for short -- see also issue #334) and use it...

Related: - #911 - #1303 - #1336 - #1347

This seems to me like something the "credential owner" RP should have to actively opt in to, but I'm not sure how. Feature policy isn't really applicable. Maybe you could...