[webauthn] Privacy section may wish to discuss recommended user-agent responses to leaks from Adam Langley via GitHub on 2017-05-07 (public-webauthn@w3.org from May 2017)

From: Adam Langley via GitHub <sysbot+gh@w3.org>
Date: Sun, 07 May 2017 23:49:26 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-226906351-1494200964-sysbot+gh@w3.org>

agl has just created a new issue for https://github.com/w3c/webauthn:

== Privacy section may wish to discuss recommended user-agent responses to leaks ==
In the [privacy section](https://www.w3.org/TR/2017/WD-webauthn-20170505/#sec-attestation-privacy), the  document may wish to recommend responses to privacy leaks by authenticators.

For example, if an authenticator manufacturer ships devices that perform basic attestation, but with unique serial numbers for the device, the user-agent may want to suppress the attestation data from that family of devices in the future. However, attestation is required in the protocol, so should the user-agent fabricate an attestation from a fictitious manufacturer in this case? Or perhaps it should make up a new attestation statement format identifier?

(Choosing not to specify this in the document is a reasonable decision, esp if the document explicitly says that. In that case, user-agents will make a decision at the time, should the situation arise, based on minimising impact to users.)

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/454 using your GitHub account

Received on Sunday, 7 May 2017 23:49:32 UTC