- From: mpan-pl via GitHub <sysbot+gh@w3.org>
- Date: Mon, 07 Apr 2025 08:12:01 +0000
- To: public-webauthn@w3.org
Probably too late now to make this issue actionable, but if this is ever resurrected: > [@equalsJeffH](https://github.com/equalsJeffH) where could I find more info on it? > > I don't think QUIC specific technology would address all the use cases. Namely Tor wouldn't be able to use it, as it doesn't support UDP that QUIC uses. (…) The moment QUIC stops being optional, Tor will have to support it. Or it’s going to lose its purpose. For the time being plain TLS-over-TCP is going to be usable, but it’s only buying time. So I’d not be worried about Tor missing webauthn. If anything, it may be a good incentive to implement QUIC tunneling over Tor. In a way it may even be beneficial: not many excuses to block authenticated connections. Implementing that on a protocol level has some advantages. **QUIC is not limited to HTTP, and HTTP/3 is not limited to websites.** Having client authentication at a protocol level, be it QUIC or HTTP/3, offers much wider possibilities. There is also an enormous **financial gain, that benefits ~100% of users.** The implementation is needed only in two dozen pieces of software (servers and clients), while the rest of the world (100% minus two dozen) no longer needs to deal with the problem. How much money is wasted on everybody implementing webauthn individually (or at least deploying as 3rd party libs)? How much is wasted on maintaining client-side components? It would also make it absolutely trivial, increasing adoption. It’s also worth noting, that citing 1% of users having JS disabled is quite flawed. It’s a kind of circular reasoning, because decisions such as this affect that number. We could as well say that 100% of users here had JS enabled to post a comment against JS. Yes, 99% of web users have it enabled for four simple reasons: 1. This isn’t users’ free choice. The moment one makes a different decision, one is banned from using many popular sites. 2. They never have an option to make any choice in the first place, because they’re never informed about such a choice. So it’s not even users’ decision in most cases. 3. The choice is not symmetrical regarding the effort. To not have webapps automatically run, one has to take active action and e.g. install a 3rd party add-on. -- GitHub Notification of comment by mpan-pl Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1255#issuecomment-2782396626 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 7 April 2025 08:12:02 UTC