Tim Cappalli

icon indicating a website link https://timcappalli.me icon indicating an email [email protected]

icon location Boston, MA icon location passkeys, FIDO2/WebAuthn, and digital credentials

Results 368 comments of Tim Cappalli

are user handles in the wild including user data?

Just another reminder that this is not a new capability and has existed in WebAuthn since L1 and is a critical part of the authenticator and credential data model. >...

are user handles in the wild including user data?

@npdoty did the previous response sufficiently answer your questions about user handle?

Need to have authenticator-only extensions

This is not a spec concern as the spec does not dictate that clients filter extensions. Each client and user agent has their own security and privacy policies. I recommend...

document and mitigate fingerprinting and disclosure risk of capabilities and extensions

> We can do deeper analysis than just that it's a risk and that someone could maybe mitigate it. Pull requests welcome. > Does 'supported' mean that there are available...

document and mitigate fingerprinting and disclosure risk of capabilities and extensions

> We can do deeper analysis than just that it's a risk and that someone could maybe mitigate it. @npdoty do you know anyone who can help with this analysis...

privacy implications of cross-origin iframe

> Is this intended to support signing in to one relying party when that party is embedded on a different site? Yes, the primary use case is a payment service...

privacy implications of cross-origin iframe

@npdoty did my responses address your concerns?

related origins enables sharing across relying parties

Responses from @timcappalli @kreichgauer @nsatragno @MasterKale > How could this feature be abused? The main concern here would be user identification across (seemingly) unrelated sites. As with cross-origin iframes, this...