- From: Paul Wise via GitHub <sysbot+gh@w3.org>
- Date: Sun, 20 Nov 2022 01:18:47 +0000
- To: public-webauthn@w3.org
Some final thoughts: The webcam/etc permission decisions are discoverable, so there is no reason the same sort of browser UI couldn't be used for WebAuthn, Basic Auth and TLS client cert logout. The problem with the web page logout button is that it looks different on every website. The user also cannot be certain what it does. It could still track the user via cookies even though they logged out. Some of them may use GET requests instead of POST, which means malicious websites could log you out of some other website. The website would still be the initiator of WebAuthn login events, so the choice of login provider would still be possible. For registration you would convey the guidelines in the registration form that appears after you authenticate via WebAuthen but without yet having a user account. The registration data would be transmitted by normal HTTP form submission separate to the WebAuthn credential and the registration submission would tie the username to the credential. In my proposal, there would be no sessions and hopefully no cookies, just "logged in as foo" or "not logged in" states. I don't know enough about WebAuthn to answer about the challenges, but TLS client certs don't have slowness, so I doubt WebAuthn will either. The advantage of WebAuthn over TLS client certs is there aren't any common hardware tokens for certs and browser vendors prefer WebAuthn so they might eventually just remove TLS client certs entirely, since they have already removed some related features like <keygen>. Anyways, it is clear my HTTP/TLS proposal isn't going to be accepted nor well liked among web developers, so I'll stop discussing it here. -- bye, pabs https://bonedaddy.net/pabs3/ -- GitHub Notification of comment by pabs3 Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1255#issuecomment-1321007596 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Sunday, 20 November 2022 01:18:49 UTC