Re: [webauthn] Why not email/username as user.id / user handle? (#1763) from Arnaud Dagnelies via GitHub on 2022-07-06 (public-webauthn@w3.org from July 2022)

From: Arnaud Dagnelies via GitHub <sysbot+gh@w3.org>
Date: Wed, 06 Jul 2022 19:03:04 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1176571511-1657134181-sysbot+gh@w3.org>

Ok. Thanks for the answers. So to summarize, because the users can freely be listed on external security keys, they require some cryptic handle to ensure usernames are not leaked. I understand that. 

Nevertheless, from an outsider's POV, I find the property names could have been chosen much better, like:

    user.id => the username/email instead
    user.displayName => should be optional IMHO
    user.securityKeyHandle => the anonymized thingy listed by security keys

... Or alternatively "anonymizedId" or something like that. 

This would have been much more intuitive IMHO. 

-- 
GitHub Notification of comment by dagnelies
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1763#issuecomment-1176571511 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 6 July 2022 19:03:06 UTC