Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update obsolete privacy concerns about throwing errors early #2134

Merged
merged 1 commit into from
Sep 24, 2024
Merged

Update obsolete privacy concerns about throwing errors early #2134

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 13 additions & 11 deletions index.bs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2234,9 +2234,7 @@ a numbered step. If outdented, it (today) is rendered as a bullet in the midst o
</dl>
</li>

1. Throw a "{{NotAllowedError}}" {{DOMException}}. In order to prevent information leak that could identify the
user without [=user consent|consent=], this step MUST NOT be executed before |lifetimeTimer| has expired. See
[[#sctn-make-credential-privacy]] for details.
1. Throw a "{{NotAllowedError}}" {{DOMException}}.

During the above process, the user agent SHOULD show some UI to the user to guide them in the process of selecting and
authorizing an authenticator. When <code>|options|.{{CredentialCreationOptions/mediation}}</code> is set to {{CredentialMediationRequirement/conditional}}, prominent modal UI should <i>not</i> be shown <i>unless</i> credential creation was previously consented to via means determined by the user agent.
Expand Down Expand Up @@ -2683,9 +2681,7 @@ When this method is invoked, the user agent MUST execute the following algorithm
1. Return |constructAssertionAlg| and terminate this algorithm.
</dl>

1. Throw a "{{NotAllowedError}}" {{DOMException}}. In order to prevent information leak that could identify the
user without [=user consent|consent=], this step MUST NOT be executed before |lifetimeTimer| has expired. See
[[#sctn-assertion-privacy]] for details.
1. Throw a "{{NotAllowedError}}" {{DOMException}}.

</div>

Expand Down Expand Up @@ -8806,8 +8802,8 @@ credential|credentials=] listed by the [=[RP]=] in {{PublicKeyCredentialCreation
If the above cases are distinguishable, information is leaked by which a malicious [=[RP]=] could identify the user by probing for
which [=public key credential|credentials=] are available. For example, one such information leak is if the client returns a
failure response as soon as an excluded [=authenticator=] becomes available. In this case - especially if the excluded
[=authenticator=] is a [=platform authenticator=] - the [=[RP]=] could detect that the [=ceremony=] was canceled before the
timeout and before the user could feasibly have canceled it manually, and thus conclude that at least one of the [=public key
[=authenticator=] is a [=platform authenticator=] - the [=[RP]=] could detect that the [=ceremony=] was canceled
before the user could feasibly have canceled it manually, and thus conclude that at least one of the [=public key
credential|credentials=] listed in the {{PublicKeyCredentialCreationOptions/excludeCredentials}} parameter is available to the user.

The above is not a concern, however, if the user has [=user consent|consented=] to create a new credential before a
Expand All @@ -8826,12 +8822,18 @@ key credential|credential=] is listed by the [=[RP]=] in {{PublicKeyCredentialRe
- A named [=public key credential|credential=] is available, but the user does not [=user consent|consent=] to use it.

If the above cases are distinguishable, information is leaked by which a malicious [=[RP]=] could identify the user by probing
for which [=public key credential|credentials=] are available. For example, one such information leak is if the client returns a
failure response as soon as the user denies [=user consent|consent=] to proceed with an [=authentication ceremony=]. In this
case the [=[RP]=] could detect that the [=ceremony=] was canceled by the user and not the timeout, and thus conclude that at least
for which [=public key credential|credentials=] are available.
For example, one such information leak may happen if the client displays instructions and controls
for canceling or proceeding with the [=authentication ceremony=]
only after discovering an [=authenticator=] that [=contains=] a named [=credential=].
In this case, if the [=[RP]=] is aware of this [=client=] behavior,
the [=[RP]=] could detect that the [=ceremony=] was canceled by the user and not the timeout, and thus conclude that at least
one of the [=public key credential|credentials=] listed in the {{PublicKeyCredentialRequestOptions/allowCredentials}} parameter is
available to the user.

This concern may be addressed by displaying controls allowing the user to cancel an [=authentication ceremony=] at any time,
regardless of whether any named [=credentials=] are available.


### Privacy Between Operating System Accounts ### {#sctn-os-account-privacy}

Expand Down