- From: Yaron Sheffer via GitHub <sysbot+gh@w3.org>
- Date: Sat, 17 Sep 2016 07:09:34 +0000
- To: public-webauthn@w3.org
yaronf has just created a new issue for https://github.com/w3c/webauthn: == Privacy across Account IDs == 4.5: ``excludeList`` allows an RP to tie different identities, i.e. to check if Alice and Bob are both used as identities on the same authenticator. This is because each of the ``CredentialDescription`` structures can contain a different id value, whereas if we only wanted to prevent multiple credentials for the same account, we would simply use the id value of the Account structure. Is this an attack we are willing to live with? Why not require (or allow) user consent for this step, e.g. "RP X wants to see other identities you have with it, do you allow that?" @vijaybh: One issue is that there are authenticators which have no local storage, but encode the entire credential and all its metadata into the credential ID. So for these authenticators, a credential ID is required. However, **the authenticator could ignore any excludeList entries that are not for the same account ID**. Please view or discuss this issue at https://github.com/w3c/webauthn/issues/204 using your GitHub account
Received on Saturday, 17 September 2016 07:09:49 UTC