Re: [webauthn] conditional UI via mediation (#1576)

Further considerations upon reflection: wrt the proposed `silentCredentialDiscovery` operation, how will that interact with credentials' "[credential protection policy](https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html#:~:text=The%20list%20of%20possible%20values%20for%20credProtect%20is)" (aka "[credProtect](https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html#sctn-credProtect-extension)") ?  
 
( apologies if someone has already explained this and I've forgotten... )

 AFAiCT, in the present conditional media formulation (up thru ff37db6) the user does not even have to "interact" with page before the client platform invokes the `silentCredentialDiscovery` operation.  If an  authenticator becomes available and it supports the `silentCredentialDiscovery` operation, discoverable creds mapped to the present RP ID are enumerated, and user verification has not yet occurred (IIUC).  What happens if those creds were created at credProtect levels 2 or 3 ?  Presently, the latter creds would not be discovered.

RPs may override any platform-imposed credProtect policy --- are we implicitly assuming that RPs creating new user creds and wishing to employ conditional mediation need to also explicitly stipulate a credProtect policy of 1 (userVerificationOptional) when creating (discoverable) creds ?

In any case, IIUC, we probably ought to Note here in the WebAuthn spec credProtect implications wrt conditional mediation and provide some appropriate guidance for RPs ...?

-- 
GitHub Notification of comment by equalsJeffH
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/1576#issuecomment-963680376 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Monday, 8 November 2021 23:51:26 UTC