- From: levangongPayPal via GitHub <sysbot+gh@w3.org>
- Date: Thu, 12 May 2016 20:46:17 +0000
- To: public-webauthn@w3.org
levangongPayPal has just labeled an issue for https://github.com/w3c/webauthn as "stat:Discuss": == Privacy across OS accounts == This is more of question than anything else. Section 1 - Use Cases says: “Additionally, privacy across WebAuthn Relying Parties must be maintained; scripts must not be able to detect any properties, or even the existence, of scoped credentials belonging to other WebAuthn Relying Parties." >From a privacy perspective, is there anything we can say or do to enable privacy-preserving measures between users sharing a device but using different OS accounts? Could we define an (API) extension or more likely recommend an implementation approach that would allow to link a credential to an OS account? This would help avoiding the leak of information later on (e.g. when Bob registers or authenticates to a particular web site, he notices that Alice has also an account at that provider). In other words, should we suggest that, whenever possible, credentials should be scoped to authenticator-OS account-RP or something like that? See https://github.com/w3c/webauthn/issues/96
Received on Thursday, 12 May 2016 20:46:19 UTC