@cyberphone For our FIDO development and testing needs, our FIDO server has a specific API used to delete a credential from its DB and we have a management interface in our test/demo applications. Since our FIDO server always set the `allowCredentials` array according to its DB content, the behavior is exactly the same as if we had deleted the credential from the authenticator. I believe the reason why the client doesn't expose a delete credential API is for privacy reasons: this prevent the RP from discovering all the credentials (from potentially other accounts) managed by the authenticators. This could be used by a malicious RP as a way to break the "private navigation" model or simply a user attempting to maintain separate accounts on the same authenticator. -- GitHub Notification of comment by haxelion Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1612#issuecomment-841057679 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-configReceived on Friday, 14 May 2021 07:05:09 UTC
This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:43 UTC