- From: John Bradley via GitHub <sysbot+gh@w3.org>
- Date: Wed, 01 Aug 2018 18:13:08 +0000
- To: public-webauthn@w3.org
The user ID is part of the signed assertion. If it is generated by anyone other than the legitimate user it would be an invalid assertion as they would not have the correct key. Any response to the Authenticating party happens above the level of WebAuthentication. The application typically returns a session cookie or an error. The application indicating if the account exists or not as part of an invalid authentication is outside the scope of WebAuthn. The general W3C privacy guidelines should cover this. There is no protocol change required for first-factor authentication. -- GitHub Notification of comment by ve7jtb Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1014#issuecomment-409670103 using your GitHub account
Received on Wednesday, 1 August 2018 18:13:22 UTC