[webauthn] Issue: Privacy across OS accounts marked as stat:Discuss

levangongPayPal has just labeled an issue for 
https://github.com/w3c/webauthn as "stat:Discuss":

== Privacy across OS accounts ==
This is more of question than anything else.
Section 1 - Use Cases says:
“Additionally, privacy across WebAuthn Relying Parties must be 
maintained; scripts must not be able to detect any properties, or even
 the existence, of scoped credentials belonging to other WebAuthn 
Relying Parties."

>From a privacy perspective, is there anything we can say or do to 
enable privacy-preserving measures between users sharing a device but 
using different OS accounts?
Could we define an (API) extension or more likely recommend an 
implementation approach that would allow to link a credential to an OS
 account?
This would help avoiding the leak of information later on (e.g. when 
Bob registers or authenticates to a particular web site, he notices 
that Alice has also an account at that provider).
In other words, should we suggest that, whenever possible, credentials
 should be scoped to authenticator-OS account-RP or something like 
that?

See https://github.com/w3c/webauthn/issues/96

Received on Thursday, 12 May 2016 20:46:19 UTC