[webauthn] credential id privacy from Axel Nennker via GitHub on 2016-07-06 (public-webauthn@w3.org from July 2016)

From: Axel Nennker via GitHub <sysbot+gh@w3.org>
Date: Wed, 06 Jul 2016 14:53:17 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-164095453-1467816796-sysbot+gh@w3.org>

AxelNennker has just created a new issue for 
https://github.com/w3c/webauthn:

== credential id privacy ==
the current editor's draft does not limit credential id in any way 
while it promises that the privacy of the user is protected cross RP -
 unlinkability.
https://w3c.github.io/webauthn/#credential-id

The Privacy subsection 
https://w3c.github.io/webauthn/#sec-attestation-privacy mentions 
Attestation Keys but not credential id. A credential id could leak PII
 if the platform or the authenticator is not careful about this.

If https://github.com/w3c/webauthn/issues/6 introduces structure to 
credential id then information leakage should be considered too.

Please view or discuss this issue at 
https://github.com/w3c/webauthn/issues/140 using your GitHub account

Received on Wednesday, 6 July 2016 14:53:28 UTC