Re: Notes on the latest CAPTCHA Note draft

My understanding is that biometrics are generally handled entirely on the authentication device, and that biometric data are never transmitted to a server. The client/server interaction is via a cryptographic authentication protocol such as the recently released Web Authentication specification.

If the authenticating device is considered trustworthy, then the authentication attempt is allowed to succeed.

I might be wrong, of course; input from those with experience in this area would be appreciated. Note that this section is inherited from the 2005 version of the document. It might be better to replace it with more general material, now that the Web Authentication specification is available:
https://www.w3.org/TR/webauthn/


On 5/9/19, 14:13, "Janina Sajka" <janina@rednote.net> wrote:

    Good question about locating biometrics, Jason.

    How shall we decide? Is it just the device that registers the
    fingerprint? Or is some signature uploaded to Google or Apple? How does
    it work? I frankly don't know, but I think the answer will tell us how
    to locate our biometric section.

    Janina

    White, Jason J writes:
    > Thank you for thoughtful comments, Janina.
    >
    > Subdivision may not be the best choice: grouping the items together, and noting the fact in the introductory text of the section, may well be sufficient to make the point clear.
    >
    > How shall we handle the biometrics issue?
    >
    > On 5/9/19, 13:27, "Janina Sajka" <janina@rednote.net> wrote:
    >
    >     Hi, Jason:
    >
    >     I'm certainly open to moving sections around. We've already done some of
    >     that in the past, and can certainly do more if it makes sense.
    >
    >     The only breakdown we've specified is stand-alone vs. multi-party.
    >     We' could further subdivide, if that seems reasonable. But, I'm not yet
    >     convinced we should try for further subdivision.
    >
    >     Janina
    >
    >     White, Jason J writes:
    >     > Here are my notes upon a perusal of the latest draft.
    >     >
    >     >
    >     >   1.  Sections 2.6 (Logic Puzzles) and 2.7 (Image and Video) are both implementations of a CAPTCHA challenge. Should they accordingly be moved to appear after section 2.2 (“Sound Output”), to bring together all of the CAPTCHA techniques discussed in section 2? Note also that 2.3 (biometrics), 2.4 (limited use accounts), and 2.5 (non-interactive checks), used individually or in combination with each other, do not involve any kind of CAPTCHA challenge.
    >     >   2.  Unless there’s work in a branch of which I’m unaware, it appears that we haven’t clarified the role of biometrics (section 2.3) in relation to CAPTCHA – and this is the subject of an open issue. I recall our discussing it at an RQTF meeting, but I don’t remember there being an agreed upon solution.
    >     >   3.  The rest of my comments are editorial, but I plan to undertake an editorially-focused reading of the draft when it’s closer to publication.
    >     >
    >     >
    >     > ________________________________
    >     >
    >     > This e-mail and any files transmitted with it may contain privileged or confidential information. It is solely for use by the individual for whom it is intended, even if addressed incorrectly. If you received this e-mail in error, please notify the sender; do not disclose, copy, distribute, or take any action in reliance on the contents of this information; and delete it from your system. Any other use of this e-mail is prohibited.
    >     >
    >     >
    >     > Thank you for your compliance.
    >     >
    >     > ________________________________
    >
    >     --
    >
    >     Janina Sajka
    >
    >     Linux Foundation Fellow
    >     Executive Chair, Accessibility Workgroup:https://nam01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fa11y.org&amp;data=02%7C01%7Cjjwhite%40ets.org%7Ca3ee0e23f7704f72721a08d6d4a38d42%7C0ba6e9b760b34fae92f37e6ddd9e9b65%7C0%7C0%7C636930196259944542&amp;sdata=8S32MZ%2BaQOT8Grfcpd96F4tVIJOOEBQfDFLOv1A3bOg%3D&amp;reserved=0

    >
    >     The World Wide Web Consortium (W3C), Web Accessibility Initiative (WAI)
    >     Chair, Accessible Platform Architectureshttps://nam01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.w3.org%2Fwai%2Fapa&amp;data=02%7C01%7Cjjwhite%40ets.org%7Ca3ee0e23f7704f72721a08d6d4a38d42%7C0ba6e9b760b34fae92f37e6ddd9e9b65%7C0%7C0%7C636930196259944542&amp;sdata=5rO9qlObFcbR5%2Fybfjl54TondI2rQmyUs44dSNFgq1g%3D&amp;reserved=0

    >
    >
    >
    >
    > ________________________________
    >
    > This e-mail and any files transmitted with it may contain privileged or confidential information. It is solely for use by the individual for whom it is intended, even if addressed incorrectly. If you received this e-mail in error, please notify the sender; do not disclose, copy, distribute, or take any action in reliance on the contents of this information; and delete it from your system. Any other use of this e-mail is prohibited.
    >
    >
    > Thank you for your compliance.
    >
    > ________________________________

    --

    Janina Sajka

    Linux Foundation Fellow
    Executive Chair, Accessibility Workgroup:https://nam01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fa11y.org&amp;data=02%7C01%7Cjjwhite%40ets.org%7C7f85526796134c79f04b08d6d4a9fa9b%7C0ba6e9b760b34fae92f37e6ddd9e9b65%7C0%7C0%7C636930223851799767&amp;sdata=mVeP1yx%2FxOd2nDoWUOdcWjsZnQvjXbx6gJ9hMpW2acs%3D&amp;reserved=0


    The World Wide Web Consortium (W3C), Web Accessibility Initiative (WAI)
    Chair, Accessible Platform Architectureshttps://nam01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.w3.org%2Fwai%2Fapa&amp;data=02%7C01%7Cjjwhite%40ets.org%7C7f85526796134c79f04b08d6d4a9fa9b%7C0ba6e9b760b34fae92f37e6ddd9e9b65%7C0%7C0%7C636930223851799767&amp;sdata=KiNZmMjeClRtH8VusTWHa8uuRsrCqJTWhqcxy57%2FbC0%3D&amp;reserved=0





________________________________

This e-mail and any files transmitted with it may contain privileged or confidential information. It is solely for use by the individual for whom it is intended, even if addressed incorrectly. If you received this e-mail in error, please notify the sender; do not disclose, copy, distribute, or take any action in reliance on the contents of this information; and delete it from your system. Any other use of this e-mail is prohibited.


Thank you for your compliance.

________________________________

Received on Thursday, 9 May 2019 18:20:58 UTC