- From: Ki-Eun Shin via GitHub <sysbot+gh@w3.org>
- Date: Wed, 30 Oct 2024 09:03:07 +0000
- To: public-webauthn@w3.org
Kieun has just created a new issue for https://github.com/w3c/webauthn: == The authenticator may hide the credential even if the RP signals unknown credentials == ## Proposed Change In the spec, there are some description and recommendation how the authenticator handles signal APIs. Currently, in many parts, there are description like this. > [WebAuthn Relying Parties](https://w3c.github.io/webauthn/#webauthn-relying-party) may use these signal methods to inform [authenticators](https://w3c.github.io/webauthn/#authenticator) of the state of [public key credentials](https://w3c.github.io/webauthn/#public-key-credential), so that incorrect or revoked credentials may be `updated, removed, or hidden`. The authenticator may decide not to remove the credential at the time of receiving the signal and it may remove it after certain amount of time passes. It implies that the credential would not delete the credential and for some reasons the hidden credential would be changed to active credential. In the case of the user directly goes through the authenticator dedicated UI and then delete the credential, it would not be reported to the RP and which causes credential mismatch. So, for this case, the authenticator would hide the credential if the user deletes the credential through menu and it would be restored depending on some cases, and it would still work without any issue. For this scenario, the hidden feature might be a good choice as an authenticator to prevent the credential is accidentally removed so that the user avoid user lock out case. However, for the signal APIs, RP indicates that the acceptable credentials with an intention, so It would be better for authenticators to delete or update credentials if it is required to meet the original requirement (synchronization between authenticators and RP). Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2192 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 30 October 2024 09:03:08 UTC