- From: L. David Baron <notifications@github.com>
- Date: Tue, 03 Mar 2020 19:16:48 -0800
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <w3ctag/design-reviews/issues/461/594303409@github.com>
@atanassov and I are looking at this in a breakout at our Wellington face-to-face. We (the TAG as a whole) could probably have some further discussion to come up with some more specific advice, but building TAG consensus over that advice would likely take both (a) time and (b) data about the level of user understanding of existing permissions. > The Yubikey passwords have already been exposed for *anyone* to read, not only via Web NFC. I think treating native applications that the user has chosen to install as "anyone" is misleading. Using a web app has much higher expectations of safety and privacy than installing a native app; see [this recently added section to our design principles document](https://w3ctag.github.io/design-principles/#safe-to-browse) on the expectation that visiting a web page is safe. I suppose this is perhaps still on us to respond to try to provide more specific advice, although I think there are definitely limits to the level of detail we'd like to provide such advice. At some point we also need to figure out where the boundary is between the role of the TAG in providing advice versus the role of other browser vendors (some of whom have participants in the TAG) in exercising their right to not implement a specification because they don't trust its security or privacy. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/issues/461#issuecomment-594303409
Received on Wednesday, 4 March 2020 03:17:02 UTC