- From: Mitar via GitHub <sysbot+gh@w3.org>
- Date: Fri, 24 Nov 2023 07:52:43 +0000
- To: public-webauthn@w3.org
> A site can create many subdomains and register different users on different subdomains, then probe for credentials on each. So the fingerprinting surface is more than one bit. This is the same as creating bunch of 1st party cookies to do the same? I understand [super-cookie as something which works across origins](https://blog.mozilla.org/en/internet-culture/mozilla-explains-cookies-and-supercookies/) and allows an attacker to trace you across sites. If super-cookie means "almost no expiration 1st party tracing cookie" then yes, `exists` would enable that. But it would not enable cross-site tracing on its own. Different origins would have to coordinate between them. Like they have to do when tracing with 1st party cookies today. Personally, I think what is needed is just `getOrCreate` API call and this is it. This is all I need. If user is already registered with the site, return its credential, if not, register. As a site I do not really care. I just want a credential I can use. User should also not care or remember if they have to "sign in" or "sign up" on the particular site. Just press "use keypass" button and you are good. It seems #1568 is already asking for this. -- GitHub Notification of comment by mitar Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1749#issuecomment-1825271159 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Friday, 24 November 2023 07:52:45 UTC