[webauthn] Privacy concerns with blacklist/whitelist from Brad Hill via GitHub on 2016-08-24 (public-webauthn@w3.org from August 2016)

From: Brad Hill via GitHub <sysbot+gh@w3.org>
Date: Wed, 24 Aug 2016 16:12:39 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-172995756-1472055158-sysbot+gh@w3.org>

hillbrad has just created a new issue for 
https://github.com/w3c/webauthn:

== Privacy concerns with blacklist/whitelist ==
Do the blacklist/whitelist features allow re-identification of the 
user without informed consent?

If I call makeCredential() with a blacklist, is it clear to the user 
that the blacklist may reveal other identities they have registered 
with the site previously?

If I call getAssertion() with a whitelist, can't the timing of an 
immediate return if no credentials in that whitelist are present vs. a
 delay for user approval, also effectively re-identify a user without 
consent?

Please view or discuss this issue at 
https://github.com/w3c/webauthn/issues/184 using your GitHub account

Received on Wednesday, 24 August 2016 16:12:47 UTC