- From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
- Date: Fri, 16 Feb 2018 20:40:26 +0000
- To: public-webauthn@w3.org
That is a good point... Unfortunately CTAP2 specifies that consent is collected _after_ the CTAP2_ERR_CREDENTIAL_EXCLUDED error would be returned, so the two cases are not distinguishable to the client. ...Unless the client can ask the user up front if they intend to create a credential (i.e., something like Chrome's and Firefox's "share location?" popup: "foo.com would like to register your identity, proceed?")? In that case I suppose the client could return the EXCLUDED error early without any unintended information leak. Updating the spec to accommodate that shouldn't be too hard. I don't immediately see any other ways to solve this without sacrificing the protection against the information leak. -- GitHub Notification of comment by emlun Please view or discuss this issue at https://github.com/w3c/webauthn/issues/806#issuecomment-366352138 using your GitHub account
Received on Friday, 16 February 2018 20:40:31 UTC