- From: philomathic_life via GitHub <sysbot+gh@w3.org>
- Date: Thu, 26 Sep 2024 17:01:34 +0000
- To: public-webauthn@w3.org
The PR I sent was purely about consistency but _not_ about agreement with this new change. As a WebAuthn _user_, I would like my privacy choices to be respected regardless of what an RP thinks. Worst case, an RP can abort the ceremony if I do not consent to provide an AAGUID forcing me to not use that RP or knowingly provide information I would rather keep private because I desire to be a user so badly. Currently web browsers like Firefox ask for user consent when registering a new credential iff `"none"` `AttestationConveyancePreference` is not requested in order to balance usability and user privacy. With this change, a user that was not asked for consent will always provide AAGUID when using a platform authenticator. This means user agents at best will have to adapt to _always_ asking for consent even when `"none"` is requested and use that response to dictate if AAGUID should be replaced even for platform authenticators or ask for consent _after_ receiving the response from an authenticator in the event AAGUID is not all-zero in order to reduce how often consent must be asked. Perhaps the spec should require user agents to at least ask for user consent when AAGUID is not all-zero restoring the user's right to choose? -- GitHub Notification of comment by zacknewman Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1962#issuecomment-2377486455 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 26 September 2024 17:01:35 UTC