W3C home > Mailing lists > Public > public-webauthn@w3.org > August 2016

Re: [webauthn] Silent Authn? clarification of bit 0 in AuthenticatorData

From: =JeffH via GitHub <sysbot+gh@w3.org>
Date: Mon, 22 Aug 2016 20:08:59 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-241533806-1471896538-sysbot+gh@w3.org>
Note also that the abstract at this time (commit master-2b72ddf) 
states..
> Authenticators are responsible for ensuring that no operation is 
performed without user consent.

..and searching for "consent" reveals several other similar 
statements.  Thus at this time, the webauthn spec **does not support 
the "silent authenticator" notion.** 

the definition of a silent authenticator is "an authnr that does not 
prompt the user or perform any user verification".

See also..
https://fidoalliance.org/specs/fido-uaf-v1.0-ps-20141208/fido-glossary-v1.0-ps-20141208.html

https://fidoalliance.org/specs/fido-uaf-v1.0-ps-20141208/fido-uaf-asm-api-v1.0-ps-20141208.html#security-and-privacy-guidelines
  

The latter features this text..
> ASMs SHOULD ensure that applications cannot use silent 
authenticators for tracking purposes. ASMs implementing support for a 
silent authenticator MUST show, during every registration, a user 
interface which explains what a silent authenticator is, asking for 
the users consent for the registration. Also, it is RECOMMENDED that 
ASMs designed to support roaming silent authenticators either

>o    Run with a special permission/privilege on the system, or
>o    Have a built-in binding with the authenticator which ensures 
that other applications cannot directly communicate with the 
authenticator by bypassing this ASM.





-- 
GitHub Notification of comment by equalsJeffH
Please view or discuss this issue at 
https://github.com/w3c/webauthn/issues/22#issuecomment-241533806 using
 your GitHub account
Received on Monday, 22 August 2016 20:09:06 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:22 UTC