Re: [webauthn] Privacy across Account IDs from Emil Lundberg via GitHub on 2018-01-20 (public-webauthn@w3.org from January 2018)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Sat, 20 Jan 2018 00:24:14 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-359126232-1516407852-sysbot+gh@w3.org>

I agree we should be able to close the `excludeCredentials` issue. It should be fixed by #687, although as @equalsJeffH [points out](https://github.com/w3c/webauthn/pull/687#issuecomment-359051421) we should also mention `makeCredential` in the Privacy Considerations subsection.

On the topic of prompting for consent, both authenticator operations specify that consent MUST always be obtained (via either a test of user presence test or user verification), see [authenticatorMakeCredential][amc] step 6 and [authenticatorGetAssertion] step 7.

[amc]: https://w3c.github.io/webauthn/#op-make-cred
[aga]: https://w3c.github.io/webauthn/#op-get-assertion

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/204#issuecomment-359126232 using your GitHub account

Received on Saturday, 20 January 2018 00:24:17 UTC