Re: [web-nfc] Security and Privacy: NDEF scope not considered adequately (#537)

It is not clear what is the threat in the Yubikey case. NDEF fallback is quite often used. The content owner can decide what information to put there. 

Related, it is not clear why and in what ways implementations or browser vendors are liable to _anticipate_ how NDEF content is used (by an app, or other apps, I assume).

The "post-it note" metaphor was used for explaining that an NDEF tag can be read by anyone.
That is slightly different from peer to peer (discontinued) which is dynamic and targeted (in a similar fashion you describe plain NDEF can also be used), but the Security section did cover P2P as well. 

Please bear with me: in order to improve things we need more specific threat descriptions and eventually mitigation proposals, too.

-- 
GitHub Notification of comment by zolkis
Please view or discuss this issue at https://github.com/w3c/web-nfc/issues/537#issuecomment-578640902 using your GitHub account

Received on Monday, 27 January 2020 08:28:14 UTC