[webauthn] Merged Pull Request: Recommend duration of challenge validity from Emil Lundberg via GitHub on 2023-11-15 (public-webauthn@w3.org from November 2023)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Wed, 15 Nov 2023 20:11:53 +0000
To: public-webauthn@w3.org
Message-ID: <pull_request.closed-1247080532-1700079110-sysbot+gh@w3.org>

emlun has just merged emlun's pull request 1855 for https://github.com/w3c/webauthn:

== Recommend duration of challenge validity ==
Fixes #1848.

Additions I also considered but decided against:

- Mentioning that the RP MAY enforce a shorter timeout if a shorter `options.timeout` is requested. I think the recommendation of a "similar" timeout probably communicates that this is a vague limit with a lot of wiggle room for such things.
- Recommending that challenges SHOULD NOT be valid past the recommended duration. This is softly implied, and doesn't seem necessary as this section comes from the angle of how long the RP _needs_ to store the challenge, so the RP probably prefers a short time already.
- Recommending allowing only a single verification attempt per challenge/ceremony. While probably a good idea, it shouldn't matter much in practice, and there might be reasons to allow retrying in some cases. It's also perhaps not entirely clear what "once per ceremony" means - once per `navigator.credentials.{create,get}()` call or once per session? - so it might be more confusing than helpful.

<!--
This comment and the below content is programmatically generated.
You may add a comma-separated list of anchors you'd like a
direct link to below (e.g. #idl-serializers, #idl-sequence):

Don't remove this comment or modify anything below this line.
If you don't want a preview generated for this pull request,
just replace the whole of this comment's content by "no preview"
and remove what's below.
-->
***
<a href="https://pr-preview.s3.amazonaws.com/w3c/webauthn/pull/1855.html" title="Last updated on Jun 28, 2023, 10:11 AM UTC (c36459f)">Preview</a> | <a href="https://pr-preview.s3.amazonaws.com/w3c/webauthn/1855/6dfbdba...c36459f.html" title="Last updated on Jun 28, 2023, 10:11 AM UTC (c36459f)">Diff</a>

See https://github.com/w3c/webauthn/pull/1855

--
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 15 November 2023 20:11:54 UTC