W3C home > Mailing lists > Public > public-webauthn@w3.org > May 2021

Re: [webauthn] Managing FIDO keys (#1612)

From: Firstyear via GitHub <sysbot+gh@w3.org>
Date: Fri, 14 May 2021 02:46:55 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-840969087-1620960413-sysbot+gh@w3.org>
Possibility three only applies to resident keys, which in order for the RP to request, you send an empty array of credential ID's anyway. So this would effectively just mean the server has some "defunct" keys in it's DB, but they are not offered in an authentication ceremony :) 

If the user wants to remove a non resident (key wrapped key), they would need to remove this from the RP's specific interface, which would then remove it from their DB, and remove it from subsequent authentications.

So really, the fact you are seeing "zombie" credentials here is because those demo sites probably aren't handling those deletes properly. 

-- 
GitHub Notification of comment by Firstyear
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1612#issuecomment-840969087 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Friday, 14 May 2021 02:46:57 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:43 UTC