- From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
- Date: Wed, 15 Nov 2023 21:12:21 +0000
- To: public-webauthn@w3.org
> As an exercise to make sure I understand how the `passkey-platform-authenticator` capability will encode `user-verifying-platform-authenticator` and `hybrid-transport` capabilities: The discussion (on the 2023-11-15 WG call) centered around how the client would have to handle these flags in order to not inadvertently leak fingerprinting information. The motivating example being that Bluetooth may or may not be available on Windows devices, so a client may not want to report a `hybrid` capability in order to not leak that as a fingerprinting bit. In that case, the client would _also_ need to consider that `passkey-platform-authenticator` is equivalent to `user-verifying-platform-authenticator OR hybrid`, so if `uvpaa: false, ppa: true`, then the RP can conclude `hybrid: true` (and also `uvpaa: false, ppa: false => hybrid: false`). So I would rather say that `passkey-platform-authenticator` would need to be undefined if either of `user-verifying-platform-authenticator` or `hybrid` is undefined (or, equivalently, the former should be present if and only if BOTH of the latter are present): ``` uvpaa | hybrid | ppa ------|--------|------- y | y | y y | n | y y | ? | ? n | y | y n | n | n n | ? | ? ? | y | ? ? | n | ? ? | ? | ? ``` -- GitHub Notification of comment by emlun Please view or discuss this issue at https://github.com/w3c/webauthn/pull/1923#issuecomment-1813268032 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 15 November 2023 21:12:23 UTC