Thanks for explaining, Adam. I'm LGTM1 contingent on:
- An explainer being produced with at least the content of Adam's last post being included. - An FYI being sent to the TAG w/ that Explainer attached. We don't have a policy that allows folks to arbitrarily decide not to send things to them w/o justification. Thanks On Friday, October 15, 2021 at 12:15:34 PM UTC-7 Adam Langley wrote: > On Thursday, October 14, 2021 at 1:49:39 AM UTC-7 yoav...@chromium.org > wrote: > >> Apologies, but it's not clear to me what this does. A higher-level >> explainer may be helpful here. >> > > When returning a WebAuthn assertion, browsers will say whether the > assertion came from a removable device or not. I.e. if you touch a security > key it'll say "cross-platform", but if you use Touch ID / Windows Hello > it'll say "platform". > > Sites could already figure this out because they learn the supported > transports of an authenticator during registration and removable devices > offer things like "usb" or "ble", while the platform authenticators (Touch > ID / Hello) say "internal". But we want to make this simpler for sites so > that they have a clear signal when offering to register the platform as an > authenticator might be useful. > > The vision is that, when phones are fully usable as security keys, users > will be able to sign into sites on a desktop browser with them. But that > site might want to know that a "removable" device was used (e.g. a phone) > because registering the platform authenticator for future sign-ins is > probably a better experience. > > >>> *TAG review* >>> >>> N/A >>> >> >> Why is a TAG review not applicable? >> > > Seems like a very minor change and TAG is a very heavy process. > > >> Web developers: No signals >>> >> >> Are developers likely to adopt this? If not, why are we adding this? >> https://goo.gle/developer-signals >> > > Other parts of an ecosystem need to slot into place in order for > everything to hang together: phones as security keys, syncing credentials, > conditional UI, etc. So developers are probably uninterested in this part > in isolation, but all together there's a fair amount of interest. GitHub, > at least, are public about WebAuthn L2 being insufficient without several > of changes in this set: 1 <https://github.com/w3c/webauthn/issues/1568> 2 > <https://github.com/w3c/webauthn/issues/1567> 3 > <https://github.com/w3c/webauthn/issues/1565>. > > >> >>> Edge: Support Signals >>> >> Any links? >> > > Microsoft supporting here > <https://github.com/w3c/webauthn/issues/1637#issuecomment-874804170>. > (See "Assertion Transports" section; WG discussion changed "transports" to > "attachment", which is what this thread is talking about.) > > > Cheers > > AGL > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/dd8302d9-709c-4d5a-9d14-b33da77039f8n%40chromium.org.
