W3C home > Mailing lists > Public > public-webauthn@w3.org > March 2018

Re: [webauthn] Platform authenticators and key stores

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Wed, 28 Mar 2018 18:09:42 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-376982715-1522260581-sysbot+gh@w3.org>
Do we envision tweaking the API for this? In that case, perhaps it could be solved by adding a (non-signed) `AuthenticatorAttachment` attribute to `PublicKeyCredentialDescriptor` and `AuthenticatorAttestationResponse`? That would require no changes to CTAP or authenticators. Then the client could detect if `allowCredentials` lists only platform credentials of which none is available, although that on its own wouldn't be enough to determine whether a credential has disappeared from the current device.

I think we also need to be careful with what kind of error to throw in that case. As we've discussed before, returning an error immediately could leak identifying information. On the other hand I think that showing an immediate browser popup informing the user, without immediately resolving the promise, shouldn't be an issue.

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/851#issuecomment-376982715 using your GitHub account
Received on Wednesday, 28 March 2018 18:09:50 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:32 UTC