- From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
- Date: Wed, 28 Aug 2024 19:21:39 +0000
- To: public-webauthn@w3.org
emlun has just created a new issue for https://github.com/w3c/webauthn: == Review privacy concerns around error conditions == The spec contains privacy concerns such as this in the final steps of [§5.1.3. Create a New Credential](https://w3c.github.io/webauthn/#sctn-createCredential) and [§5.1.4. Use an Existing Credential to Make an Assertion](https://w3c.github.io/webauthn/#sctn-discover-from-external-source): >Throw a "[NotAllowedError](https://webidl.spec.whatwg.org/#notallowederror)" [DOMException](https://webidl.spec.whatwg.org/#idl-DOMException). In order to prevent information leak that could identify the user without [consent](https://w3c.github.io/webauthn/#user-consent), this step MUST NOT be executed before _lifetimeTimer_ has expired. See [§ 14.5.1 Registration Ceremony Privacy](https://w3c.github.io/webauthn/#sctn-make-credential-privacy) for details. These privacy concerns were written for an architecture of these operations that is no longer relevant, and may in fact not have been relevant even at the time the privacy concerns were written (see: https://github.com/w3c/webauthn/pull/2095#discussion_r1698881047). We should review whether these privacy concerns are still valid or, if they can be shown to be redundant under the current specification of these operations and thus removed. This would simplify initiatives such as #2096 and #2095. ## Proposed Change Review the validity of these privacy concerns. If they can be shown redundant, delete the prohibition against returning certain errors due to these privacy concerns. Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2132 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 28 August 2024 19:21:40 UTC