- From: David Waite via GitHub <sysbot+gh@w3.org>
- Date: Fri, 02 Jul 2021 19:45:03 +0000
- To: public-webauthn@w3.org
> Hi @MasterKale, I may surely lack some understanding but the OS-level broker in Windows, leaves a lot to be desired since it doesn't know which keys are active or not. #1612 A persistent cookie solved this particular problem but of course created another, browser-specific credentials. This is an issue with discoverable credentials, and mostly when a demo creates multiple credentials with different user handles. An authenticator is expected to only store one discoverable credential per (user handle, RP) tuple - registration of a new credential should delete the old one. Some authenticators only support one discoverable credential per RPID period, replacing any old credential on new creation. This would effectively auto-clean up a demo with the user handle issue. There may be additional implementation issues at play as well, e.g. windows hello might create discoverable credentials when non-discoverable credentials were requested. I believe this was a UX issue previously, and do not know if it has been enhanced or if there is a timeline/plans. > For SPC which _may_ need additional meta-data (the spec is currently up in the air), it will be interesting to see how the cross-browser issue is dealt with. SPC is using non-discoverable credentials last I checked, so there should not be any sort of user key management at the browser/platform level (barring the previous point of implementations choosing to create discoverable credentials) -- GitHub Notification of comment by dwaite Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1638#issuecomment-873222855 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Friday, 2 July 2021 19:45:05 UTC