Re: [w3ctag/design-reviews] WebAuthn PRF extension (Issue #806)

> The privacy properties are unclear.

Have added a section to the explainer as suggested. This extension doesn't change any of the privacy properties of WebAuthn so the PRFs are per-credential and credentials are still scoped to an [RP ID](https://www.w3.org/TR/webauthn-2/#rp-id).

> There's mention of this being UI gated, but neither the explainer nor the spec mention the UI, or what triggers it.

This extension doesn't change anything about WebAuthn in that regard either. So sites trigger operations via Javascript calls on `navigator.credentials` as usual and the data is part of an assertion and thus behind the same ceremony as signing in.

During registration, if the user completes the ceremony and creates the credential then the site learns whether the authenticator supports the extension or not.



-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/806#issuecomment-1402825203
You are receiving this because you are subscribed to this thread.

Message ID: <w3ctag/design-reviews/issues/806/1402825203@github.com>

Received on Tuesday, 24 January 2023 23:28:57 UTC