Re: [w3ctag/design-reviews] Web NFC (#461) from L. David Baron on 2020-02-19 (public-webapps-github@w3.org from February 2020)

From: L. David Baron <notifications@github.com>
Date: Wed, 19 Feb 2020 15:47:22 -0800
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/461/588533766@github.com>

We [discussed this further](https://github.com/w3ctag/meetings/blob/gh-pages/2020/telcons/02-17-minutes.md#web-nfc) in today's TAG call.

One thing we discussed a bit was the issue of Yubikeys exposing one-time-passwords via NDEF, [originally raised in the Mozilla standards-positions issue](https://github.com/mozilla/standards-positions/issues/238#issuecomment-578457411).  While you certainly could argue that Yubico shouldn't have exposed the user's one time passwords via `NDEF`, they have done so, and that they have done so is an existence proof for the problem that hardware vendors may not use `NDEF` the way you or I might think it should have been used.  Given that traversing a link to a web page should generally be safe, we should consider the range of uses of `NDEF` when deciding how risky it is to expose `NDEF` to the web, and if we're going to ask users about it, what users would need to consent to.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/461#issuecomment-588533766

Received on Wednesday, 19 February 2020 23:47:34 UTC