Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Web Authentication's PublicKeyCredential signal methods #996

Closed
1 task done
nsatragno opened this issue Sep 19, 2024 · 3 comments
Closed
1 task done

Web Authentication's PublicKeyCredential signal methods #996

nsatragno opened this issue Sep 19, 2024 · 3 comments
Assignees
Labels
Mode: breakout Work done during a time-limited breakout session Resolution: satisfied The TAG is satisfied with this design Review type: later review Topic: authentication Venue: WebAuth WG

Comments

@nsatragno
Copy link

こんにちは TAG-さん!

I'm requesting a TAG review of Web Authentication's PublicKeyCredential signal methods.

Allow WebAuthn relying parties to report information about existing credentials back to credential storage providers, so that incorrect or revoked credentials can be updated or removed from provider and system UI.

Further details:

  • I have reviewed the TAG's Web Platform Design Principles
  • Relevant time constraints or deadlines:
  • The group where the work on this specification is currently being done: WebAuthn WG
  • Major unresolved issues with or opposition to this specification: None
  • This work is being funded by: Google
@maxpassion
Copy link

Hi @nsatragno - thanks for sending this our way. It would help us to review better if the explainer were more clear about the user need you're trying to service. You've described the problem statement and objective in low level terms but it's not clear the UX issue you're trying to tackle here. If you can describe start with user need, that would be helpful. It's good to see support from Webkit.

@jyasskin
Copy link
Contributor

@maxpassion The explainer includes

  1. If a relying party stops accepting a credential, e.g. as a result of revoking it from an account or by completely deleting an account, the credential is still presented by clients during discoverable flows.
  2. Even if relying parties allow a user to change their username or display name on the account, such changes are not reflected in the display of credentials during discoverable flows.

Those seem like the high-level UX issues that this feature is designed to tackle?

@maxpassion
Copy link

Thanks for the clarification @jyasskin , the use case of not presenting invalid credentials to clients looks useful, and the API shape looks reasonable. We're also happy to see the widespread stakeholder support on w3c/webauthn#2093.

@jyasskin jyasskin added the Resolution: satisfied The TAG is satisfied with this design label Dec 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Mode: breakout Work done during a time-limited breakout session Resolution: satisfied The TAG is satisfied with this design Review type: later review Topic: authentication Venue: WebAuth WG
Projects
None yet
Development

No branches or pull requests

5 participants