Re: [webauthn] Support a "create or get [or replace]" credential re-association operation (#1568) from Emil Lundberg via GitHub on 2021-06-15 (public-webauthn@w3.org from June 2021)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Tue, 15 Jun 2021 17:48:34 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-861708340-1623779312-sysbot+gh@w3.org>

Would it be reasonable if RPs could silently check for "does the user have some discoverable credential for this site"? So not allowing the RP to probe for any particular credential IDs (that would enable de-anonymization attacks), but just the presence of _some_ credential they could use? Or would that be too invasive?

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1568#issuecomment-861708340 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Tuesday, 15 June 2021 17:48:53 UTC