- From: Nick Doty via GitHub <noreply@w3.org>
- Date: Thu, 14 Aug 2025 17:49:22 +0000
- To: public-webauthn@w3.org
npdoty has just created a new issue for https://github.com/w3c/webauthn: == are user handles in the wild including user data? == Do we have deployment experience yet with user handles to evaluate whether RPs are complying with the in-spec advice? I would expect advice to relying parties to definitely not put user email addresses into these would be ignored, but that's just my speculation. If they should be an opaque random number, maybe the client should generate it and return it to the RP? If actually they're just going to be user-specific usernames, it might be time to update expectations and instead consider any impacts on privacy as a result. If experience is showing in the wild that they aren't user-specific and sites are consistent in making them intelligence-free identifiers, great! Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2324 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 14 August 2025 17:49:23 UTC