- From: Kyle Simpson via GitHub <sysbot+gh@w3.org>
- Date: Sat, 22 Feb 2025 17:33:14 +0000
- To: public-webauthn@w3.org
getify has just created a new issue for https://github.com/w3c/webauthn: == Can we document protections (if any) around userHandle (with user-verification)? == Sometime mid-last year, when I was researching webauthn, I came across (I think via googling) some thread, I strongly believe somewhere on this repository, that had, somewhere in the middle of it, a discussion of the `userHandle` coming back in an assertion-response. What I recall was, apparently prior to that discussion, it was assumed `userHandle` could come back on all responses, but a concern was raised that is a potential privacy leak. It was, I believe, thus indicated that `userHandle` should only be returned in the case of UV (user verification), to ensure the user was aware of the authentication, and it not being a silent drive-by authentication that could be snooping to leak that data. Indeed, my testing indicates that `userHandle` is in fact only returned under the conditions when UV was required and succeeded. But I am really struggling now to find: - that discussion/message, where it was definitively asserted that `userHandle` should only come back for UV responses - any wording (normative or not) in the spec (either L2 or L3-draft) which actually confirms this requirement Can anyone here provide assistance on those items, in hopes of documenting this particular "protection" around `userHandle` as being intentional, and the justifications thereof. Appreciate the help! Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2266 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Saturday, 22 February 2025 17:33:15 UTC