Re: [webauthn] Managing FIDO keys (#1612)

@cyberphone For our FIDO development and testing needs, our FIDO server has a specific API used to delete a credential from its DB and we have a management interface in our test/demo applications. Since our FIDO server always set the `allowCredentials` array according to its DB content, the behavior is exactly the same as if we had deleted the credential from the authenticator.

I believe the reason why the client doesn't expose a delete credential API is for privacy reasons: this prevent the RP from discovering all the credentials (from potentially other accounts) managed by the authenticators. This could be used by a malicious RP as a way to break the "private navigation" model or simply a user attempting to maintain separate accounts on the same authenticator.

GitHub Notification of comment by haxelion
Please view or discuss this issue at using your GitHub account

Sent via github-notify-ml as configured in

Received on Friday, 14 May 2021 07:05:09 UTC