John Bradley

Thanks, but we won't delay RD02 to refactor quire yet if that is OK. This will save a bunch of time and mistakes later.

To a large extent, this overlaps with [token binding](https://tools.ietf.org/html/rfc8471). If you do a authentication with the token binding extension you can then token bind a cookie, or otherwise record the...

It would be good if we could understand the reasons. Most platforms intend to have a platform level authenticator. If the credentials in the PWA are not globally available to...

Dirk and I talked about something like what @emlun is proposing a couple of years ago for permission based cross-origin authentication requests. One issue was the merchants didn't want the...

In my tests with Safari 14.1 and 14.2 on OSX the requirement for user-activation now also applies to external security keys. I don't see an exception being made for **google.com**....

Going back to @agl's issue. Is this: a) proposing that a site can create an iframe with the feature-policy publickey-credentials-create to allow the origin of the iframe to make a...

I think that some RP will want to be assured that the assertion comes from a browser enforcing "no user recourse". That seems to be the main ask from NIST...

I agree in general about using an empty allow list, however there are some practical problems. 1) The Android platform authenticator doesn't support empty allow lists. 2) Most roaming authenticators...

You know I do what I can to keep the pressure up on 1, but others need to speak up to make it a priority for the Android team. CTAP2...

CTAP2.1 allows enforcement of PIN policy per credential via CredProtect. There is also a new alwaysUV setting that authenticators can support to always require uv for all credentials. You can...