- From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
- Date: Thu, 05 Oct 2023 15:29:13 +0000
- To: public-webauthn@w3.org
> When this `delete` then fails what does the RP do? Do we delete the credential anyway and then the user has to cleanup in their pwmanager / key manager? > The credentials should always be deleted (or rendered inoperable) on the server side. The way I envision it, deleting the credential on the authenticator is a nice-to-have. This is why I proposed a state transfer approach instead of an action-oriented approach - the former eliminates the problem by letting the authenticator(s), instead of the RP, figure out what needs to change to reflect the most recent state. If the user unplugs their USB security key before clicking "delete" in the RP UI, that doesn't matter because the RP can just send the current state at the next opportunity (be it login, a credential management operation or whatever). -- GitHub Notification of comment by emlun Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1967#issuecomment-1749137172 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 5 October 2023 15:29:14 UTC