Re: [webauthn] Add privacy consideration about terminating getAssertion early

Thanks for your detailed response!

>>2. The browser notices that one of the excluded parameters is available, ignores that authenticator and waits for another to appear.
>
>AFAICT, the browser/client-platform does not do this [...] rather the authnr does this [...] and returns `NotAllowedError`

Ah yes, that is correct. Either way, the end result is that the client ignores the authenticator in question and keeps waiting for another candidate.

>nit: AFAICT the spec does not stipulate whether the browser, client platform, or authenticator prompts the user.

Indeed, although [authenticatorMakeCredential][amc] step 6 softly specifies that the authenticator does it if capable, and otherwise the client. I chose to keep it simple because I don't know of existing authenticator hardware that allows active denial of consent (as opposed to passive denial by timeout).

>Ah, but the imperative [...] this PR inserted into [#createCredential](https://w3c.github.io/webauthn/#createCredential) step 21 means that the error is not returned before the timer expires, yes? [...]

Assuming implementers read and implement all the steps, yes. :)

[amc]: https://w3c.github.io/webauthn/#op-make-cred

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/687#issuecomment-359124131 using your GitHub account

Received on Saturday, 20 January 2018 00:07:56 UTC