Skip to content

Commit

Permalink
Merge pull request #2134 from w3c/issue-2132-obsolete-privacy-cons
Browse files Browse the repository at this point in the history
Update obsolete privacy concerns about throwing errors early
  • Loading branch information
emlun authored Sep 24, 2024
2 parents 199dcda + e0fb9b2 commit adf7a95
Showing 1 changed file with 13 additions and 11 deletions.
24 changes: 13 additions & 11 deletions index.bs
Original file line number Diff line number Diff line change
Expand Up @@ -2234,9 +2234,7 @@ a numbered step. If outdented, it (today) is rendered as a bullet in the midst o
</dl>
</li>

1. Throw a "{{NotAllowedError}}" {{DOMException}}. In order to prevent information leak that could identify the
user without [=user consent|consent=], this step MUST NOT be executed before |lifetimeTimer| has expired. See
[[#sctn-make-credential-privacy]] for details.
1. Throw a "{{NotAllowedError}}" {{DOMException}}.

During the above process, the user agent SHOULD show some UI to the user to guide them in the process of selecting and
authorizing an authenticator. When <code>|options|.{{CredentialCreationOptions/mediation}}</code> is set to {{CredentialMediationRequirement/conditional}}, prominent modal UI should <i>not</i> be shown <i>unless</i> credential creation was previously consented to via means determined by the user agent.
Expand Down Expand Up @@ -2683,9 +2681,7 @@ When this method is invoked, the user agent MUST execute the following algorithm
1. Return |constructAssertionAlg| and terminate this algorithm.
</dl>

1. Throw a "{{NotAllowedError}}" {{DOMException}}. In order to prevent information leak that could identify the
user without [=user consent|consent=], this step MUST NOT be executed before |lifetimeTimer| has expired. See
[[#sctn-assertion-privacy]] for details.
1. Throw a "{{NotAllowedError}}" {{DOMException}}.

</div>

Expand Down Expand Up @@ -8834,8 +8830,8 @@ credential|credentials=] listed by the [=[RP]=] in {{PublicKeyCredentialCreation
If the above cases are distinguishable, information is leaked by which a malicious [=[RP]=] could identify the user by probing for
which [=public key credential|credentials=] are available. For example, one such information leak is if the client returns a
failure response as soon as an excluded [=authenticator=] becomes available. In this case - especially if the excluded
[=authenticator=] is a [=platform authenticator=] - the [=[RP]=] could detect that the [=ceremony=] was canceled before the
timeout and before the user could feasibly have canceled it manually, and thus conclude that at least one of the [=public key
[=authenticator=] is a [=platform authenticator=] - the [=[RP]=] could detect that the [=ceremony=] was canceled
before the user could feasibly have canceled it manually, and thus conclude that at least one of the [=public key
credential|credentials=] listed in the {{PublicKeyCredentialCreationOptions/excludeCredentials}} parameter is available to the user.

The above is not a concern, however, if the user has [=user consent|consented=] to create a new credential before a
Expand All @@ -8854,12 +8850,18 @@ key credential|credential=] is listed by the [=[RP]=] in {{PublicKeyCredentialRe
- A named [=public key credential|credential=] is available, but the user does not [=user consent|consent=] to use it.

If the above cases are distinguishable, information is leaked by which a malicious [=[RP]=] could identify the user by probing
for which [=public key credential|credentials=] are available. For example, one such information leak is if the client returns a
failure response as soon as the user denies [=user consent|consent=] to proceed with an [=authentication ceremony=]. In this
case the [=[RP]=] could detect that the [=ceremony=] was canceled by the user and not the timeout, and thus conclude that at least
for which [=public key credential|credentials=] are available.
For example, one such information leak may happen if the client displays instructions and controls
for canceling or proceeding with the [=authentication ceremony=]
only after discovering an [=authenticator=] that [=contains=] a named [=credential=].
In this case, if the [=[RP]=] is aware of this [=client=] behavior,
the [=[RP]=] could detect that the [=ceremony=] was canceled by the user and not the timeout, and thus conclude that at least
one of the [=public key credential|credentials=] listed in the {{PublicKeyCredentialRequestOptions/allowCredentials}} parameter is
available to the user.

This concern may be addressed by displaying controls allowing the user to cancel an [=authentication ceremony=] at any time,
regardless of whether any named [=credentials=] are available.


### Privacy Between Operating System Accounts ### {#sctn-os-account-privacy}

Expand Down

0 comments on commit adf7a95

Please sign in to comment.