Update obsolete privacy concerns about throwing errors early

w3c · Sep 4, 2024 · e0fb9b2 · e0fb9b2
1 parent a871f79
commit e0fb9b2
Showing 1 changed file with 13 additions and 11 deletions.
diff --git a/index.bs b/index.bs
@@ -2234,9 +2234,7 @@ a numbered step. If outdented, it (today) is rendered as a bullet in the midst o
         </dl>
     </li>
 
-1. Throw a "{{NotAllowedError}}" {{DOMException}}. In order to prevent information leak that could identify the
-    user without [=user consent|consent=], this step MUST NOT be executed before |lifetimeTimer| has expired. See
-    [[#sctn-make-credential-privacy]] for details.
+1. Throw a "{{NotAllowedError}}" {{DOMException}}.
 
 During the above process, the user agent SHOULD show some UI to the user to guide them in the process of selecting and
 authorizing an authenticator. When <code>|options|.{{CredentialCreationOptions/mediation}}</code> is set to {{CredentialMediationRequirement/conditional}}, prominent modal UI should <i>not</i> be shown <i>unless</i> credential creation was previously consented to via means determined by the user agent.
@@ -2683,9 +2681,7 @@ When this method is invoked, the user agent MUST execute the following algorithm
             1.  Return |constructAssertionAlg| and terminate this algorithm.
     </dl>
 
-1. Throw a "{{NotAllowedError}}" {{DOMException}}. In order to prevent information leak that could identify the
-    user without [=user consent|consent=], this step MUST NOT be executed before |lifetimeTimer| has expired. See
-    [[#sctn-assertion-privacy]] for details.
+1. Throw a "{{NotAllowedError}}" {{DOMException}}.
 
 </div>
 
@@ -8806,8 +8802,8 @@ credential|credentials=] listed by the [=[RP]=] in {{PublicKeyCredentialCreation
 If the above cases are distinguishable, information is leaked by which a malicious [=[RP]=] could identify the user by probing for
 which [=public key credential|credentials=] are available. For example, one such information leak is if the client returns a
 failure response as soon as an excluded [=authenticator=] becomes available. In this case - especially if the excluded
-[=authenticator=] is a [=platform authenticator=] - the [=[RP]=] could detect that the [=ceremony=] was canceled before the
-timeout and before the user could feasibly have canceled it manually, and thus conclude that at least one of the [=public key
+[=authenticator=] is a [=platform authenticator=] - the [=[RP]=] could detect that the [=ceremony=] was canceled
+before the user could feasibly have canceled it manually, and thus conclude that at least one of the [=public key
 credential|credentials=] listed in the {{PublicKeyCredentialCreationOptions/excludeCredentials}} parameter is available to the user.
 
 The above is not a concern, however, if the user has [=user consent|consented=] to create a new credential before a
@@ -8826,12 +8822,18 @@ key credential|credential=] is listed by the [=[RP]=] in {{PublicKeyCredentialRe
 - A named [=public key credential|credential=] is available, but the user does not [=user consent|consent=] to use it.
 
 If the above cases are distinguishable, information is leaked by which a malicious [=[RP]=] could identify the user by probing
-for which [=public key credential|credentials=] are available. For example, one such information leak is if the client returns a
-failure response as soon as the user denies [=user consent|consent=] to proceed with an [=authentication ceremony=]. In this
-case the [=[RP]=] could detect that the [=ceremony=] was canceled by the user and not the timeout, and thus conclude that at least
+for which [=public key credential|credentials=] are available.
+For example, one such information leak may happen if the client displays instructions and controls
+for canceling or proceeding with the [=authentication ceremony=]
+only after discovering an [=authenticator=] that [=contains=] a named [=credential=].
+In this case, if the [=[RP]=] is aware of this [=client=] behavior,
+the [=[RP]=] could detect that the [=ceremony=] was canceled by the user and not the timeout, and thus conclude that at least
 one of the [=public key credential|credentials=] listed in the {{PublicKeyCredentialRequestOptions/allowCredentials}} parameter is
 available to the user.
 
+This concern may be addressed by displaying controls allowing the user to cancel an [=authentication ceremony=] at any time,
+regardless of whether any named [=credentials=] are available.
+
 
 ### Privacy Between Operating System Accounts ### {#sctn-os-account-privacy}