- From: =JeffH via GitHub <sysbot+gh@w3.org>
- Date: Wed, 30 May 2018 00:00:55 +0000
- To: public-webauthn@w3.org
@kpaulh wrote in https://github.com/w3c/webauthn/issues/575#issuecomment-330594383: > Even if the client supports a platform authenticator, the user has to approve the sharing of that information by responding to a prompt of some sort. Well, neither the spec, nor PR #904, presently specifies that the user MUST be prompted -- rather, it just suggests that might occur. Also, wrt @emlun wrote in https://github.com/w3c/webauthn/issues/575#issuecomment-386545474 > The method checks for the presence of an authenticator, not a credential, so it should be fine to always return immediately. However the situation this time-out stipulation is in regards to is: > This is done so that callers cannot distinguish between the case where the user was unwilling to create a credential using one of the available user-verifying platform authenticators and the case where no user-verifying platform authenticator exists. The rationale above (from that parag) is one of privacy. I do not recall offhand who championed adding the entire parag to the spec -- perhaps they can speak up? Are we saying that we have thought about this and do not feel this privacy concern merits distinction in the spec? I agree a huge long timeout would be problematic UX-wise in some edge cases (I presume the are edge cases assuming most users will be fine creating a platform cred, and ultimately most platforms will feature userVerifyingPlatformAuthnrs). -- GitHub Notification of comment by equalsJeffH Please view or discuss this issue at https://github.com/w3c/webauthn/issues/575#issuecomment-392987140 using your GitHub account
Received on Wednesday, 30 May 2018 00:00:58 UTC