[Editorial] platform authenticator relationship to WebAuthn Client and Client Device

[timcappalli]

https://w3c.github.io/webauthn/#webauthn-client-device

platform authenticators are bound to a client device rather than a WebAuthn Client.

This isn't always true. Update text.

[emlun]

No, I argue this is in fact always true, but that the client device can also act as a roaming authenticator in some contexts. Whether a given authenticator is a platform authenticator or a roaming authenticator is decided by the client executing a WebAuthn ceremony, not by intrinsic properties of the authenticator itself. An Android phone "is" a platform authenticator when executing WebAuthn in a browser running on the phone, but "is" a roaming authenticator when acting as a Bluetooth authenticator with a client running on a laptop.

If those are unhelpful definitions, then we would instead need to replace the definitions with new ones.

[emlun]

That example is described in §6.2.1. Authenticator Attachment Modality:

Some platform authenticators could possibly also act as roaming authenticators depending on context. For example, a platform authenticator integrated into a mobile device could make itself available as a roaming authenticator via Bluetooth. In this case clients running on the mobile device would recognise the authenticator as a platform authenticator, while clients running on a different client device and communicating with the same authenticator via Bluetooth would recognize it as a roaming authenticator.

[timcappalli]

I'm only talking about same device scenarios. There are cases where the authenticator is bound only to the WebAuthn client, and not the underlying client device.

Examples:

1. Google Password Manager in Chrome
2. A passkey provider operating as a browser extension (which is itself the WebAuthn client)

[emlun]

Ok, those are fair counterexamples.