W3C home > Mailing lists > Public > public-webauthn@w3.org > May 2016

[webauthn] Privacy across OS accounts

From: levangongPayPal via GitHub <sysbot+gh@w3.org>
Date: Thu, 12 May 2016 20:46:17 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-154577449-1463085976-sysbot+gh@w3.org>
levangongPayPal has just created a new issue for 
https://github.com/w3c/webauthn:

== Privacy across OS accounts ==
This is more of question than anything else.
Section 1 - Use Cases says:
“Additionally, privacy across WebAuthn Relying Parties must be 
maintained; scripts must not be able to detect any properties, or even
 the existence, of scoped credentials belonging to other WebAuthn 
Relying Parties."

>From a privacy perspective, is there anything we can say or do to 
enable privacy-preserving measures between users sharing a device but 
using different OS accounts?
Could we define an (API) extension or more likely recommend an 
implementation approach that would allow to link a credential to an OS
 account?
This would help avoiding the leak of information later on (e.g. when 
Bob registers or authenticates to a particular web site, he notices 
that Alice has also an account at that provider).
In other words, should we suggest that, whenever possible, credentials
 should be scoped to authenticator-OS account-RP or something like 
that?

Please view or discuss this issue at 
https://github.com/w3c/webauthn/issues/96 using your GitHub account
Received on Thursday, 12 May 2016 20:46:19 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:38:15 UTC