Shane Weeden

Following TPAC discussion we are going to close this issue. RPs cannot expect an API for detection of BE=1 capable browsers, because with cable/hybrid that would be possible without the...

I don't quite understand why there should be an exception (alternative approach) for SPC credentials. I'm happy to hear the argument for this, but from a purist POV, what *really...

@agl suggested this would be covered in the DPK PR

> When the user triggers the recovery flow, the RP will send a randomly generated message to the client, the client will be prompted to provide his seed phrase (private...

> This creates a relationship between the UVP and the registered credential. This is a misconception. There is no such relationship. The choice of UVP (as you call it) is...

Credentials are created during the registration ceremony, not used. I think you mean which *authenticators* may be used. Also I think it is important to separate out the capabilities of...

The residentKey parameter (which supersedes requireResidentKey boolean) introduces the "preferred" semantic which is new in the spec for L2. The credProps extension may be used in conjunction, and is designed...

That is not what credProps is for. The credProps extension is for an RP to discover whether or not a discoverable credential (aka resident key (deprecated)) was provisioned when navigator.credentials.create...

> In some cases depending on the RP implementation and assumptions, it may lead to verification bypass reducing MFA authenticators to single factor. RPs have a responsibility to use the...

> The specification does not make it clear which properties of a webauthn challenge/response are signed and verifiable, and which are not, which leads to ambiguity and a belief in...