W3C home > Mailing lists > Public > public-webauthn@w3.org > July 2016

[webauthn] credential id privacy

From: Axel Nennker via GitHub <sysbot+gh@w3.org>
Date: Wed, 06 Jul 2016 14:53:17 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-164095453-1467816796-sysbot+gh@w3.org>
AxelNennker has just created a new issue for 
https://github.com/w3c/webauthn:

== credential id privacy ==
the current editor's draft does not limit credential id in any way 
while it promises that the privacy of the user is protected cross RP -
 unlinkability.
https://w3c.github.io/webauthn/#credential-id

The Privacy subsection 
https://w3c.github.io/webauthn/#sec-attestation-privacy mentions 
Attestation Keys but not credential id. A credential id could leak PII
 if the platform or the authenticator is not careful about this.

If https://github.com/w3c/webauthn/issues/6 introduces structure to 
credential id then information leakage should be considered too.

Please view or discuss this issue at 
https://github.com/w3c/webauthn/issues/140 using your GitHub account
Received on Wednesday, 6 July 2016 14:53:28 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:58:23 UTC