W3C home > Mailing lists > Public > public-webauthn@w3.org > May 2021

Re: [webauthn] Managing FIDO keys (#1612)

From: Charles Hubain via GitHub <sysbot+gh@w3.org>
Date: Fri, 14 May 2021 07:05:06 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-841057679-1620975904-sysbot+gh@w3.org>
@cyberphone For our FIDO development and testing needs, our FIDO server has a specific API used to delete a credential from its DB and we have a management interface in our test/demo applications. Since our FIDO server always set the `allowCredentials` array according to its DB content, the behavior is exactly the same as if we had deleted the credential from the authenticator.

I believe the reason why the client doesn't expose a delete credential API is for privacy reasons: this prevent the RP from discovering all the credentials (from potentially other accounts) managed by the authenticators. This could be used by a malicious RP as a way to break the "private navigation" model or simply a user attempting to maintain separate accounts on the same authenticator.

-- 
GitHub Notification of comment by haxelion
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1612#issuecomment-841057679 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Friday, 14 May 2021 07:05:09 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:43 UTC