Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Privacy: ensuring RPs blinded to credential existence #105

Open
RByers opened this issue Apr 17, 2024 · 0 comments
Open

Privacy: ensuring RPs blinded to credential existence #105

RByers opened this issue Apr 17, 2024 · 0 comments
Assignees
@timcappalli
Labels
spec

Comments

@RByers
Copy link
Member

RByers commented Apr 17, 2024

For when we add a privacy considerations section to the spec, a property I believe is critical to capture is that an RP should be unable to learn if a matching credential is present or not until the user has given permission to allow the web site to access their wallet. This means, for example, that the UX of the no credential found case must be indistinguishable (eg. in terms of the occlusion and impact on web-observable input events) from the case where credentials are found.

See also #104 for a potential future way to mitigate the negative consequences of this principle.
@timcappalli timcappalli self-assigned this Apr 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@timcappalli timcappalli

Labels
spec
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@RByers @timcappalli