Re: Call for Adoption: HTTP Unprompted Authentication

On Tue, Feb 07, 2023 at 12:32:22PM +0000, Stephen Farrell wrote:
> On 07/02/2023 05:58, Mark Nottingham wrote:
> > Hello everyone,
> > 
> > We first discussed this draft at IETF114[1],  saw implementation
> > interest at IETF115, [2] and finally had some more list discussion.
> > 
> > This is a Call for Adoption for:
> > 
> >  Please indicate (in response to this message) whether you support
> > adoption, and whether you intend to implement.
> I'm not sure.
> Can someone clarify whether the u= field amounts
> to a super-cookie or not, and if not, how that
> might be the case?
> If there's a good answer to the above, I'd support
> adoption. If not, not.

The u= is actually not username but key handle. And when it comes to
tracking, the standard stuff for keys appiles:

- Don't use the same key in places you don't want linked together.
- If client chooses key identifiers, don't inclue any PII in those.

(This is how Webauthn addresses the tracking vector.)


Received on Tuesday, 7 February 2023 15:41:54 UTC