From e0fb9b2326cc00a9331444f855af7b67375f020f Mon Sep 17 00:00:00 2001 From: Emil Lundberg Date: Wed, 4 Sep 2024 13:55:40 +0200 Subject: [PATCH] Update obsolete privacy concerns about throwing errors early --- index.bs | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/index.bs b/index.bs index 0e61497b8..a5ff4e724 100644 --- a/index.bs +++ b/index.bs @@ -2234,9 +2234,7 @@ a numbered step. If outdented, it (today) is rendered as a bullet in the midst o -1. Throw a "{{NotAllowedError}}" {{DOMException}}. In order to prevent information leak that could identify the - user without [=user consent|consent=], this step MUST NOT be executed before |lifetimeTimer| has expired. See - [[#sctn-make-credential-privacy]] for details. +1. Throw a "{{NotAllowedError}}" {{DOMException}}. During the above process, the user agent SHOULD show some UI to the user to guide them in the process of selecting and authorizing an authenticator. When |options|.{{CredentialCreationOptions/mediation}} is set to {{CredentialMediationRequirement/conditional}}, prominent modal UI should not be shown unless credential creation was previously consented to via means determined by the user agent. @@ -2683,9 +2681,7 @@ When this method is invoked, the user agent MUST execute the following algorithm 1. Return |constructAssertionAlg| and terminate this algorithm. -1. Throw a "{{NotAllowedError}}" {{DOMException}}. In order to prevent information leak that could identify the - user without [=user consent|consent=], this step MUST NOT be executed before |lifetimeTimer| has expired. See - [[#sctn-assertion-privacy]] for details. +1. Throw a "{{NotAllowedError}}" {{DOMException}}. @@ -8806,8 +8802,8 @@ credential|credentials=] listed by the [=[RP]=] in {{PublicKeyCredentialCreation If the above cases are distinguishable, information is leaked by which a malicious [=[RP]=] could identify the user by probing for which [=public key credential|credentials=] are available. For example, one such information leak is if the client returns a failure response as soon as an excluded [=authenticator=] becomes available. In this case - especially if the excluded -[=authenticator=] is a [=platform authenticator=] - the [=[RP]=] could detect that the [=ceremony=] was canceled before the -timeout and before the user could feasibly have canceled it manually, and thus conclude that at least one of the [=public key +[=authenticator=] is a [=platform authenticator=] - the [=[RP]=] could detect that the [=ceremony=] was canceled +before the user could feasibly have canceled it manually, and thus conclude that at least one of the [=public key credential|credentials=] listed in the {{PublicKeyCredentialCreationOptions/excludeCredentials}} parameter is available to the user. The above is not a concern, however, if the user has [=user consent|consented=] to create a new credential before a @@ -8826,12 +8822,18 @@ key credential|credential=] is listed by the [=[RP]=] in {{PublicKeyCredentialRe - A named [=public key credential|credential=] is available, but the user does not [=user consent|consent=] to use it. If the above cases are distinguishable, information is leaked by which a malicious [=[RP]=] could identify the user by probing -for which [=public key credential|credentials=] are available. For example, one such information leak is if the client returns a -failure response as soon as the user denies [=user consent|consent=] to proceed with an [=authentication ceremony=]. In this -case the [=[RP]=] could detect that the [=ceremony=] was canceled by the user and not the timeout, and thus conclude that at least +for which [=public key credential|credentials=] are available. +For example, one such information leak may happen if the client displays instructions and controls +for canceling or proceeding with the [=authentication ceremony=] +only after discovering an [=authenticator=] that [=contains=] a named [=credential=]. +In this case, if the [=[RP]=] is aware of this [=client=] behavior, +the [=[RP]=] could detect that the [=ceremony=] was canceled by the user and not the timeout, and thus conclude that at least one of the [=public key credential|credentials=] listed in the {{PublicKeyCredentialRequestOptions/allowCredentials}} parameter is available to the user. +This concern may be addressed by displaying controls allowing the user to cancel an [=authentication ceremony=] at any time, +regardless of whether any named [=credentials=] are available. + ### Privacy Between Operating System Accounts ### {#sctn-os-account-privacy}