Re: [webauthn] Provide a method to get the count of the credentials of a rely party on client device on user permission (#2255) from bigradish via GitHub on 2025-02-12 (public-webauthn@w3.org from February 2025)

From: bigradish via GitHub <sysbot+gh@w3.org>
Date: Wed, 12 Feb 2025 04:45:38 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-2652654350-1739335536-sysbot+gh@w3.org>

Thank you for your answers.

1.
I'm not referring to excludeCredentials. I'm talking new account registration.
2.
That is too trivial to be a user privacy.
3.
Actually, AAGUID (Authenticator Attestation Globally Unique Identifier) is already present, whose authenticity is ensured by Attestation. But AAGUID only indicates the make and model of the authenticator. If each authenticator is given a GUID (AGUID), or just a shorter id string to identify it from the authenticators with the same make and model, it can be returned along with the AAGUID.

For AAGUID, see https://w3c.github.io/webauthn/#aaguid
For Attestation, see https://w3c.github.io/webauthn/#attestation
For Attestation Certificate, see https://w3c.github.io/webauthn/#attestation-certificate

________________________________
发件人: Ackermann Yuriy ***@***.***>
发送时间: 2025年2月11日 16:56
收件人: w3c/webauthn ***@***.***>
抄送: bigradish ***@***.***>; Mention ***@***.***>
主题: Re: [w3c/webauthn] Provide a method to get the count of the credentials of a rely party on client device on user permission (Issue #2255)

1. Are you referring to excludeCredentials<https://w3c.github.io/webauthn/#dom-publickeycredentialcreationoptions-excludecredentials>. Again this would only prevent user from re-registering.
2. That would disclose that user does not want to share information.
3. Again WebAuthn API is not account management system lol. It's a key management API.

And lastly, as stated before, web security model is based on no trust to the user side. Server must at all times be aware of that nothing that comes from the browser can be trusted.

Making stuff read-only, etc, does not matter since extensions will just override your JS, and send you false information.

Most importantly, malicious actors won't care for the browser, specs, what ever. They will simply run broken version of the browser, with "fixed" api, and abuse your system to the end.

Best you can do is correctly build your threat model, use KYC techniques, like iProve, etc, register people by phone number, and many many other ways to limit attack vector.

OWASP is your friend https://cheatsheetseries.owasp.org/cheatsheets/Web_Service_Security_Cheat_Sheet.html

―
Reply to this email directly, view it on GitHub<https://github.com/w3c/webauthn/issues/2255#issuecomment-2650176548>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ABBYBYKX7PQ3G6H3BAJ7XJT2PG3M5AVCNFSM6AAAAABWTDGMK6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMNJQGE3TMNJUHA>.
You are receiving this because you were mentioned.Message ID: ***@***.***>

--
GitHub Notification of comment by bigradish
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2255#issuecomment-2652654350 using your GitHub account

--
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 12 February 2025 04:45:39 UTC