Re: [webauthn] RPs cannot show "You've Already Registered This Authenticator" Message from Alexei Czeskis via GitHub on 2018-02-16 (public-webauthn@w3.org from February 2018)

From: Alexei Czeskis via GitHub <sysbot+gh@w3.org>
Date: Fri, 16 Feb 2018 20:32:55 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-366350412-1518813174-sysbot+gh@w3.org>

> providing this information would allow malicious RPs to reliably identify (i.e., track) the user without consent.
No.  The CTAP2 spec explicitly says that user consent must be gathered before it replies with `CTAP2_ERR_CREDENTIAL_EXCLUDED`

-- 
GitHub Notification of comment by leshi
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/806#issuecomment-366350412 using your GitHub account

Received on Friday, 16 February 2018 20:32:58 UTC