- From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
- Date: Fri, 16 Feb 2018 21:09:57 +0000
- To: public-webauthn@w3.org
A drawback of that strategy is that the authenticator will actually create the credential before the client knows to ask "are you sure?". If that was a resident credential, then some of the authenticator's (probably limited) internal storage has now been allocated to it and it may not be obvious to the user that they need to delete it (CTAP2 has no "delete single credential" command, so the client can't do this automatically either). Aside from that, I think it sounds like a good idea. I wouldn't worry about the information leak in option (a) since, as @kpaulh notes, the user evidently _does_ intend to share the information in this case. -- GitHub Notification of comment by emlun Please view or discuss this issue at https://github.com/w3c/webauthn/issues/806#issuecomment-366359094 using your GitHub account
Received on Friday, 16 February 2018 21:10:00 UTC