Emil Lundberg

This appears to be an issue in OpenSSH; the credential manager in Chrome (`chrome://settings/securityKeys`) shows the same default value `openssh` for the username: ``` $ ssh -V OpenSSH_9.5p1, OpenSSL 3.1.4...

A colleague of mine pointed out that the current [`ssh-keygen` man page description of `-O user`](https://man.openbsd.org/ssh-keygen.1#user) is inaccurate - what it actually does is [set the user handle](https://github.com/openssh/openssh-portable/blob/947affad4831df015c498c00c6351ea6f13895d5/sk-usbhid.c#L916) (AKA user...

I'm considering whether clients should also be allowed to set `false` for extensions that are known and not supported, to give RPs a definitive answer in those cases. That would...

Both the method and the `extension:` capabilities are added in L3, so formally speaking there cannot be any mature implementation of `getClientCapabilities()` that does not include the `extension:` capabilities. At...

Hm, it looks like this is the way it's supposed to be for `create` at least: https://w3c.github.io/webappsec-credential-management/#algorithm-create-cred >When creating a [Credential](https://w3c.github.io/webappsec-credential-management/#credential), it will return an algorithm that takes a [global...

Hi, sorry we haven't gotten back to you on this. At this time it's unlikely we'll add any new functionality to the piv-manager GUI. If anything it's more likely to...

Thanks for pointing this out! There is a connection, but it is a bit buried: - [Step 27 of §7.1. Registering a New Credential](https://w3c.github.io/webauthn/#reg-ceremony-store-credential-record) instructs to set `credentialRecord.transports` to the...

Just noting that there is precedent in the spec for this: the [`InvalidStateError` in create()](https://w3c.github.io/webauthn/#ref-for-authenticatorcancel%E2%91%A3) explicitly calls out that a more granular error is acceptable because the user has consented...

@sameadis I believe what you are describing is two ways to say the same thing? Namely that "the credential is in the excludelist" is precisely the way the client and...

Perhaps "replay attack" is too narrow a term. The purpose of "replay protection" is not only to prevent a challenge from being used more than once - rather, the more...