W3C home > Mailing lists > Public > public-webauthn@w3.org > July 2021

Re: [webauthn] Unwanted Browser Dependencies (#1638)

From: David Waite via GitHub <sysbot+gh@w3.org>
Date: Fri, 02 Jul 2021 19:45:03 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-873222855-1625255101-sysbot+gh@w3.org>
> Hi @MasterKale, I may surely lack some understanding but the OS-level broker in Windows, leaves a lot to be desired since it doesn't know which keys are active or not. #1612 A persistent cookie solved this particular problem but of course created another, browser-specific credentials.

This is an issue with discoverable credentials, and mostly when a demo creates multiple credentials with different user handles. An authenticator is expected to only store one discoverable credential per (user handle, RP) tuple - registration of a new credential should delete the old one. Some authenticators only support one discoverable credential per RPID period, replacing any old credential on new creation. This would effectively auto-clean up a demo with the user handle issue.

There may be additional implementation issues at play as well, e.g. windows hello might create discoverable credentials when non-discoverable credentials were requested. I believe this was a UX issue previously, and do not know if it has been enhanced or if there is a timeline/plans.

> For SPC which _may_ need additional meta-data (the spec is currently up in the air), it will be interesting to see how the cross-browser issue is dealt with.

SPC is using non-discoverable credentials last I checked, so there should not be any sort of user key management at the browser/platform level (barring the previous point of implementations choosing to create discoverable credentials)

-- 
GitHub Notification of comment by dwaite
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1638#issuecomment-873222855 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Friday, 2 July 2021 19:45:05 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:44 UTC