Resident Vs Non Resident Key

[hetin k]

Hi All,

I have few doubts

1. What are all attributes stored on authenticator in case of resident key.
   • My understanding - userid, username, displayname, credential id and private key.  is these correct?
     
2. What are all attributes stored on authenticator in case of non resident key.
   • does authenticator store no data? does authenticator only decrypt credential id and create signature based on decrypted credential id?

Thank folks.....

[hetin k]

folks any reply

[John Bradley]

The specs have moved to describing them as discoverable (usable without an allow list) and not discoverable, requiring an allow list.

What you say is largely true.  However, some authenticators like the Android platform authenticator, when making a non discoverable credential will still store the private key, public key, raid and the credentialID in the authenticator.   The credentialID is just an opaque identifier to look up the other info.

Some other Authenticators like the Apple and Microsoft  platform ones will always make discoverable credentials even if the RP sends resident key discouraged or require resident key false.   In those cases, all the key info plus userID name icon etc are stored in the authenticator.

So for non discoverable, it depends on the Authenticator.

John B.

-- 
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/aa34d7fb-286a-489f-9e19-4564e3f2cd1en%40fidoalliance.org.

[nuno sung]

It should also consider what features of ctap2.0/2.1 the authenticator want to support in non-discoverable credentials. 

e.g. https://github.com/google/OpenSK/pull/518

Moreover the alg if the authenticator doesn't only support ecdsa.

John Bradley 在 2022年7月27日 星期三晚上10:52:35 [UTC+8] 的信中寫道：