Extra privacy considerations.

w3c · Jul 24, 2024 · d3bcd3e · d3bcd3e
1 parent 33e61c6
commit d3bcd3e
Showing 1 changed file with 21 additions and 5 deletions.
diff --git a/index.bs b/index.bs
@@ -3003,15 +3003,19 @@ process a [=signal method/authenticator action=], [=clients=] may choose to use
 existing infrastructure such as [[!FIDO-CTAP]]'s
 `authenticatorCredentialManagement` command to achieve an equivalent effect.
 
-Note: [=signal methods] intentionally do not wait for the [=authenticators=] to
+Note: [=Signal methods=] intentionally do not wait for the [=authenticators=] to
 finish executing the [=signal method/authenticator actions=] to protect users
 from [=[WRPS]=] gaining information about availability of their credentials
 without [=user consent=] from the timing of the request.
 
 #### {{PublicKeyCredential/signalUnknownCredentialId(options)}} #### {#sctn-signalUnknownCredentialId}
 
 Signals that a [=credential id=] was not recognized by the [=[WRP]=], e.g.
-because it was deleted by the user.
+because it was deleted by the user. Unlike
+{{PublicKeyCredential/signalAllAcceptedCredentialIds(options)}}, this
+method does not require passing the entire list of accepted [=credential IDs=]
+and the [=userHandle=], avoiding a privacy leak to an unauthenticated caller
+(see [[#sctn-credential-id-privacy-leak]]).
 
 Upon execution of {{PublicKeyCredential/signalUnknownCredentialId(options)}},
 the [=client=] executes these steps:
@@ -3134,17 +3138,23 @@ PublicKeyCredential.signalAllAcceptedCredentialIds({
 });
 ```
 
-If the [=authenticator=] is attached at the time of the report, it deletes or
+If the [=authenticator=] is attached at the time of execution, it deletes or
 hides the [=credential=] corresponding to `aa` from future [=authentication
 ceremonies=].
 
 </div>
 
-Note: [=Authenticators=] may not be attached at the time a report is signalled.
+Note: [=Authenticators=] may not be attached at the time
+{{PublicKeyCredential/signalAllAcceptedCredentialIds(options)}} is executed.
 Therefore, [=[WRPS]=] may choose to run
 {{PublicKeyCredential/signalAllAcceptedCredentialIds(options)}} periodically,
 e.g. on every sign in.
 
+Note: Credentials not present in
+{{AllAcceptedCredentialIdsOptions/allAcceptedCredentialIds}} will be removed or
+hidden, potentially irreversibly. [=Relying parties=] must exercise care that
+valid credential IDs are never omitted from the list.
+
 #### {{PublicKeyCredential/signalCurrentUserDetails(options)}} #### {#sctn-signalCurrentUserDetails}
 
 Signals the user's current {{PublicKeyCredentialEntity/name}} and
@@ -3202,7 +3212,8 @@ of the matching credential.
 
 </div>
 
-Note: [=Authenticators=] may not be attached at the time a report is signalled.
+Note: [=Authenticators=] may not be attached at the time
+{{PublicKeyCredential/signalCurrentUserDetails(options)}} is executed.
 Therefore, [=[WRPS]=] may choose to run
 {{PublicKeyCredential/signalCurrentUserDetails(options)}} periodically, e.g. on
 every sign in.
@@ -9293,6 +9304,11 @@ i.e., if {{PublicKeyCredentialRequestOptions/allowCredentials}} needs to be expo
 the [=[RP]=] could mitigate the privacy leak using the same approach of returning imaginary [=credential IDs=]
 as discussed in [[#sctn-username-enumeration]].
 
+When [=signal methods|signalling=] that a [=credential id=] was not recognized,
+the [=[WRP]=] should use the
+{{PublicKeyCredential/signalUnknownCredentialId(options)}} method instead of the
+{{PublicKeyCredential/signalAllAcceptedCredentialIds(options)}} method to avoid
+exposing [=credential IDs=] to an unauthenticated caller.
 
 # Accessibility Considerations # {#sctn-accessiblility-considerations}