- From: Rolf Lindemann via GitHub <sysbot+gh@w3.org>
- Date: Tue, 03 Oct 2017 04:58:40 +0000
- To: public-webauthn@w3.org
I have some open question regarding this topic. 1. The distinction between bound authenticators and roaming authenticators is not a static as one might think. Let's assume a bound authenticator in a smartphone. Let's further assume that smartphone supports CTAP protocol and is connected to some laptop using CTAP. This makes the bound authenticator a roaming authenticator. Would that authenticator now need to ask for a TUP when creating a new credential? 2. If the bound authenticator doesn't ask for TUP when creating a new credential, are we still assuming that some user was enrolled with this authenticator? If yes: we should mention such assumption explicitly. If not: What if user A uses the device when creating the credential and user B then enrolls to the authenticator after that? This behavior could likely be unexpected for some relying parties. 3. The FIDO alliance has published some privacy principles (https://fidoalliance.org/assets/images/general/FIDO_Alliance_Whitepaper_Privacy_Principles.pdf). How would this approach meet those? For example "#1: Require explicit, informed user consent for any operation using personal data". -- GitHub Notification of comment by rlin1 Please view or discuss this issue at https://github.com/w3c/webauthn/issues/564#issuecomment-333739194 using your GitHub account
Received on Tuesday, 3 October 2017 04:58:29 UTC