- From: John Bradley via GitHub <sysbot+gh@w3.org>
- Date: Sun, 23 Feb 2025 01:26:27 +0000
- To: public-webauthn@w3.org
I think it might be the text from CTAP2.1 that is causing confusion. “Update the response to include the selected credential’s publicKeyCredentialUserEntity information. User identifiable information (name, DisplayName, icon) inside the publicKeyCredentialUserEntity MUST NOT be returned if user verification is not done by the authenticator” So in CTAP the name is not returned from the authenticator without UV however userHandle is always returned from a discoverable credential. The issue is privacy if an authenticator is searched, by say a border guard. The name, DisplayName etc are never returned over WebAuthn and only used for local UX. userHandle is set by the RP and is pairwise to that RP. It can't be used to track across RP. We have said that RP should not set userHandle to include sensitive information or if they do set credprotect level 2 or higher. Credprotect level 2 is the default for Chrome. That may explain what you are seeing where an allow list is sent with uv discouraged and they are treated as non discoverable credentials in the response even if they are created as discoverable. -- GitHub Notification of comment by ve7jtb Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2266#issuecomment-2676490702 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Sunday, 23 February 2025 01:26:28 UTC