- From: Charles Hubain via GitHub <sysbot+gh@w3.org>
- Date: Fri, 14 May 2021 07:05:06 +0000
- To: public-webauthn@w3.org
@cyberphone For our FIDO development and testing needs, our FIDO server has a specific API used to delete a credential from its DB and we have a management interface in our test/demo applications. Since our FIDO server always set the `allowCredentials` array according to its DB content, the behavior is exactly the same as if we had deleted the credential from the authenticator. I believe the reason why the client doesn't expose a delete credential API is for privacy reasons: this prevent the RP from discovering all the credentials (from potentially other accounts) managed by the authenticators. This could be used by a malicious RP as a way to break the "private navigation" model or simply a user attempting to maintain separate accounts on the same authenticator. -- GitHub Notification of comment by haxelion Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1612#issuecomment-841057679 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Friday, 14 May 2021 07:05:09 UTC