Re: [w3ctag/design-reviews] Web Authentication Level 2 (#577) from Daniel Appelquist on 2021-03-29 (public-webapps-github@w3.org from March 2021)

From: Daniel Appelquist <notifications@github.com>
Date: Mon, 29 Mar 2021 09:54:06 -0700
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/577/809541056@github.com>

Hi @mikewest @agl kreichgauer. Sorry this dropped off of our radar. We are spending some time looking at it today. We're noting a lack of use cases. It looks to me like the use cases in the level 2 spec are the same ones as in the level 1 spec - so this raises the question: what additional use cases (user needs) are being solved with level 2? Our take on explainers is that they should generally start with the user needs. I have no doubt that there are important new user needs that y'all are trying to solve with level 2- but it's not clear from the explainer what those are. Even if the answer is : "this spec adds some commonly used authentication mechanisms to webauth."

Regarding the security & privacy self-check, the responses look good. I'm concerned about the fingerprinting implications of the apple-specific attestation format. There doesn't seem to be any discussion on mitigation against that. Also, there are no plans to have different behaviour in incognito mode. Is that a good thing, especially considering the additional fingerprinting surface area? Do you have additonal information about why device-vendor-specific mechanisms are required? It's unusual for device vendor specific technologies in the web platform - see [Web Platform Design Principles](https://w3ctag.github.io/design-principles/#wrapper-apis) and the [Ethical Web Principles](https://w3ctag.github.io/ethical-web-principles/#multi).

One side note: the explainer and response to the security & privacy questionnaire are both in google doc format and we'd really like to encourage these to be in markdown along side of the spec itself...

We're aware we took too long on this review and we're not seeking to block anything, however the we think the quality of the explainer and spec will be greatly improved by addressing the above issues.

--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/577#issuecomment-809541056

Received on Monday, 29 March 2021 16:54:18 UTC