Re: [webauthn] [Superset] Updating credential metadata and requesting deletion of stale credentials (#1967) from Emil Lundberg via GitHub on 2023-10-04 (public-webauthn@w3.org from October 2023)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Wed, 04 Oct 2023 18:02:25 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1747390584-1696442543-sysbot+gh@w3.org>

In the interest of having something concrete to discuss, here's another attempt (somewhat inspired by [my previous one](https://github.com/w3c/webauthn/issues/1560#issuecomment-799755300), but rather different). How about a new `updateCredentials` client extension?

```
extensions: {
  updateCredentials: {
    user: {
      id: new Uint8Array([1, 2, 3, 4]),  // User handle of the user account whose credentials to update/garbage-collect
      name: "example",                   // New value for user.name
      displayName: "Example User",       // New value for user.displayName
    },
    validCredentials: [
      // List of all of credentials valid for this account
      // Credentials with these IDs have their user.name and user.displayName updated
      // Credentials with above user handle and none of these IDs are deleted
      { type: "public-key", id: new Uint8Array([96, 231, 209, 27, /* ... */ ])},
      { type: "public-key", id: new Uint8Array([165, 225, 44, 123, /* ... */ ])},
      { type: "public-key", id: new Uint8Array([112, 235, 14, 6, /* ... */ ])},
      /* ... */
    ],
  },
},
```

As noted in the inline comments, the idea is:

- We address credentials to be updated by the combination of (user handle, credential ID).
- The RP lists all credentials that **should remain** after cleanup.
- Authenticators delete any credentials that have the given `user.id` but whose credential ID is not listed in `validCredentials`.
- Authenticators update the `user.name` and `user.displayName` each credential to the given values.
- No extension output, no feedback returned to the RP.

The main idea is that this way the RP doesn't need to track state changes over time, rather it only needs to report the current state.

Thoughts?


-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1967#issuecomment-1747390584 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 4 October 2023 18:02:27 UTC