- From: =JeffH via GitHub <sysbot+gh@w3.org>
- Date: Mon, 08 Nov 2021 23:51:24 +0000
- To: public-webauthn@w3.org
Further considerations upon reflection: wrt the proposed `silentCredentialDiscovery` operation, how will that interact with credentials' "[credential protection policy](https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html#:~:text=The%20list%20of%20possible%20values%20for%20credProtect%20is)" (aka "[credProtect](https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html#sctn-credProtect-extension)") ? ( apologies if someone has already explained this and I've forgotten... ) AFAiCT, in the present conditional media formulation (up thru ff37db6) the user does not even have to "interact" with page before the client platform invokes the `silentCredentialDiscovery` operation. If an authenticator becomes available and it supports the `silentCredentialDiscovery` operation, discoverable creds mapped to the present RP ID are enumerated, and user verification has not yet occurred (IIUC). What happens if those creds were created at credProtect levels 2 or 3 ? Presently, the latter creds would not be discovered. RPs may override any platform-imposed credProtect policy --- are we implicitly assuming that RPs creating new user creds and wishing to employ conditional mediation need to also explicitly stipulate a credProtect policy of 1 (userVerificationOptional) when creating (discoverable) creds ? In any case, IIUC, we probably ought to Note here in the WebAuthn spec credProtect implications wrt conditional mediation and provide some appropriate guidance for RPs ...? -- GitHub Notification of comment by equalsJeffH Please view or discuss this issue at https://github.com/w3c/webauthn/pull/1576#issuecomment-963680376 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 8 November 2021 23:51:26 UTC