- From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
- Date: Wed, 30 May 2018 11:57:06 +0000
- To: public-webauthn@w3.org
The paragraph was added in commit 8bf3b7e7cb803e459da9dfd239e68815cf40aaf7, which mentions #523. I also don't understand why this method specifies that >[...] the client then assesses whether the user is willing to create a credential using one of the available user-verifying platform authenticators. [...] This seems to me like the responsibility of [`credentials.create()`][create]. In fact, if isUVPAA were to do that, then the user would be prompted twice for consent to create a credential if the RP calls isUVPAA first. Also, I interpret @christiaanbrand's comment https://github.com/w3c/webauthn/issues/575#issuecomment-386059592 as proposing the above part should be deleted. The identifying information leak in create() is caused by the `excludeCredentials` parameter; since isUVPAA doesn't have that parameter, the same privacy concerns shouldn't apply to isUVPAA. However, the privacy concern noted here is about fingerprinting. isUVPAA could provide the RP with one additional bit of information to build a browser fingerprint from. Is that something we should be worried about? Chrome and Edge are clearly not... (https://github.com/w3c/webauthn/issues/575#issuecomment-386059592, https://github.com/w3c/webauthn/issues/575#issuecomment-386650507) [create]: https://w3c.github.io/webauthn/#createCredential -- GitHub Notification of comment by emlun Please view or discuss this issue at https://github.com/w3c/webauthn/issues/575#issuecomment-393134099 using your GitHub account
Received on Wednesday, 30 May 2018 11:57:36 UTC