W3C home > Mailing lists > Public > public-webauthn@w3.org > November 2021

Re: [webauthn] conditional UI via mediation (#1576)

From: =JeffH via GitHub <sysbot+gh@w3.org>
Date: Mon, 08 Nov 2021 23:51:24 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-963680376-1636415482-sysbot+gh@w3.org>
Further considerations upon reflection: wrt the proposed `silentCredentialDiscovery` operation, how will that interact with credentials' "[credential protection policy](https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html#:~:text=The%20list%20of%20possible%20values%20for%20credProtect%20is)" (aka "[credProtect](https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html#sctn-credProtect-extension)") ?  
 
( apologies if someone has already explained this and I've forgotten... )

 AFAiCT, in the present conditional media formulation (up thru ff37db6) the user does not even have to "interact" with page before the client platform invokes the `silentCredentialDiscovery` operation.  If an  authenticator becomes available and it supports the `silentCredentialDiscovery` operation, discoverable creds mapped to the present RP ID are enumerated, and user verification has not yet occurred (IIUC).  What happens if those creds were created at credProtect levels 2 or 3 ?  Presently, the latter creds would not be discovered.

RPs may override any platform-imposed credProtect policy --- are we implicitly assuming that RPs creating new user creds and wishing to employ conditional mediation need to also explicitly stipulate a credProtect policy of 1 (userVerificationOptional) when creating (discoverable) creds ?

In any case, IIUC, we probably ought to Note here in the WebAuthn spec credProtect implications wrt conditional mediation and provide some appropriate guidance for RPs ...?

-- 
GitHub Notification of comment by equalsJeffH
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/1576#issuecomment-963680376 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 8 November 2021 23:51:26 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:44 UTC