Re: [webauthn] Add excludeUsers to prevent creation of new keys for known users (#2309) from Mitar via GitHub on 2025-07-11 (public-webauthn@w3.org from July 2025)

From: Mitar via GitHub <noreply@w3.org>
Date: Fri, 11 Jul 2025 05:56:56 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-3060699568-1752213412-noreply@w3.org>

@Firstyear I think I explained this above already? Or maybe I am missing something. First, user IDs are "opaque [byte sequence](https://infra.spec.whatwg.org/#byte-sequence) with a maximum size of 64 bytes, and is not meant to be displayed to the user," so not sure how would such a list of random looking IDs be incriminating to anyone? Even more, RPs concerned about privacy of their users could always use a mapped IDs used only for Webauthn user IDs which are then mapped to real user IDs used elsewhere in the system. But more importantly, RPs should not put into `excludeUsers` a list of all IDs known to the RP, only IDs they have some additional information that they belong to the user currently signing-in. Exactly the same as with `excludeCredentials` where RP does not list credentials of everyone known to the RP.

-- 
GitHub Notification of comment by mitar
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2309#issuecomment-3060699568 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Friday, 11 July 2025 05:56:56 UTC