Re: [webauthn] Why not email/username as user.id / user handle? (#1763) from Arnaud Dagnelies via GitHub on 2022-07-06 (public-webauthn@w3.org from July 2022)

From: Arnaud Dagnelies via GitHub <sysbot+gh@w3.org>
Date: Wed, 06 Jul 2022 07:39:29 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1175888711-1657093166-sysbot+gh@w3.org>

it was probably poorly phrased from me. Indeed the user id is transmitted into the authentication payload. What I meant is that it is of no practical use. What you store in your database as a RP is typically "username/email -> list of public key credentials". So basically, you have to either transmit the "username/email" directly or map the user id to username/email on the server side.

Regarding the user "name", from the specs:

> it is a [human-palatable](https://w3c.github.io/webauthn/#human-palatability) identifier for a [user account](https://w3c.github.io/webauthn/#user-account). It is intended only for display, i.e., aiding the user in determining the difference between user accounts with similar [displayName](https://w3c.github.io/webauthn/#dom-publickeycredentialuserentity-displayname)s. For example, "alexm", "alex.mueller@example.com" or "+14255551234". 

So basically, it is just an identifier. I don't really see the problem with things like "divorce, leaving domestic violence, ...". More like when changing one's username/email/phone. But in that case, the solution looks simple to me: create new credentials. Done.

-- 
GitHub Notification of comment by dagnelies
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1763#issuecomment-1175888711 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 6 July 2022 07:39:32 UTC