Re: [webauthn] Proposal: Scoped Attestation Privacy + Practical CBOR Size Guidance (WebAuthn L3) (#2390) from fazoncore via GitHub on 2026-02-07 (public-webauthn@w3.org from February 2026)

From: fazoncore via GitHub <noreply@w3.org>
Date: Sat, 07 Feb 2026 19:16:32 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-3865125638-1770491789-noreply@w3.org>

Follow-up (clarification)

- The proposal is fully backward-compatible and introduces no new cryptographic primitives; it only makes explicit the scoped-privacy expectation for attestation material.
- The size numbers (8KB / 6KB / 10KB) are intentionally NON-normative guidance (“aim to keep”), meant to reduce deployability/transport failure modes. If preferred, the WG can keep only “SHOULD minimize” in the main text and move the numeric values to an informative note.
- The referenced WPT-style tests are WARN-only diagnostics (not conformance failures) and are provided purely to demonstrate testability and help detect cross-RP correlation risk indicators early.

Happy to adjust wording to match WG preference (e.g., “MUST NOT enable cross-RP correlation unless user explicitly consents” vs. softer informative phrasing).


-- 
GitHub Notification of comment by fazoncore
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2390#issuecomment-3865125638 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Saturday, 7 February 2026 19:16:33 UTC