Re: [webauthn] Add excludeUsers to prevent creation of new keys for known users (#2309) from Firstyear via GitHub on 2025-07-11 (public-webauthn@w3.org from July 2025)

From: Firstyear via GitHub <noreply@w3.org>
Date: Fri, 11 Jul 2025 02:08:11 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-3059985720-1752199688-noreply@w3.org>

> So what is the threat model you have in mind and which leakage of what to whom you are worried about?

If someone were to sign up to an online service, say .... Ashley Madison? Then in that request, you get back a list of every user that already has enrolled. That would be pretty incriminating no? 



-- 
GitHub Notification of comment by Firstyear
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2309#issuecomment-3059985720 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Friday, 11 July 2025 02:08:12 UTC