Re: [w3ctag/design-reviews] Web Authentication Immediate Mediation (Issue #1092) from Ken Buchanan on 2025-06-17 (public-webapps-github@w3.org from June 2025)

From: Ken Buchanan <notifications@github.com>
Date: Tue, 17 Jun 2025 15:31:26 -0700
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/1092/2982016871@github.com>

kenrb left a comment (w3ctag/design-reviews#1092)

> It feels like this is a larger discussion to have in WebAppSec WG, as part of the Credential Management API, particularly as it is Credential Management API that governs mediation.

I'm happy to take part in any such discussion, but I'll note that the changes here really only pertain to WebAuthn. We are proposing this should be usable with both `PublicKeyCredential` and `PasswordCredential` (in the same way that `mediation: "conditional"` currently only applies to `PublicKeyCredential`) but the behaviour described in this proposal already exists for `PasswordCredential` with existing mediation modes, since that returns an empty credential when no password is available. I think the contentious parts here are around the interactions with passkeys.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/1092#issuecomment-2982016871
You are receiving this because you are subscribed to this thread.

Message ID: <w3ctag/design-reviews/issues/1092/2982016871@github.com>

Received on Tuesday, 17 June 2025 22:31:30 UTC