Re: [webauthn] Managing FIDO keys (#1612)

@cyberphone For our FIDO development and testing needs, our FIDO server has a specific API used to delete a credential from its DB and we have a management interface in our test/demo applications. Since our FIDO server always set the `allowCredentials` array according to its DB content, the behavior is exactly the same as if we had deleted the credential from the authenticator.

I believe the reason why the client doesn't expose a delete credential API is for privacy reasons: this prevent the RP from discovering all the credentials (from potentially other accounts) managed by the authenticators. This could be used by a malicious RP as a way to break the "private navigation" model or simply a user attempting to maintain separate accounts on the same authenticator.

-- 
GitHub Notification of comment by haxelion
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1612#issuecomment-841057679 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Friday, 14 May 2021 07:05:09 UTC