W3C home > Mailing lists > Public > public-webauthn@w3.org > October 2017

Re: [webauthn] Consider dropping requirement for TUP on create()

From: Rolf Lindemann via GitHub <sysbot+gh@w3.org>
Date: Tue, 03 Oct 2017 04:58:40 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-333739194-1507006706-sysbot+gh@w3.org>
I have some open question regarding this topic.
1. The distinction between bound authenticators and roaming authenticators is not a static as one might think.  Let's assume a bound authenticator in a smartphone.  Let's further assume that smartphone supports CTAP protocol and is connected to some laptop using CTAP.  This makes the bound authenticator a roaming authenticator.  Would that authenticator now need to ask for a TUP when creating a new credential?
2. If the bound authenticator doesn't ask for TUP when creating a new credential, are we still assuming that some user was enrolled with this authenticator?  If yes: we should mention such assumption explicitly.  If not: What if user A uses the device when creating the credential and user B then enrolls to the authenticator after that?  This behavior could likely be unexpected for some relying parties.  
3. The FIDO alliance has published some privacy principles (https://fidoalliance.org/assets/images/general/FIDO_Alliance_Whitepaper_Privacy_Principles.pdf).  How would this approach meet those? For example "#1: Require explicit, informed user consent for any operation using personal data".

-- 
GitHub Notification of comment by rlin1
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/564#issuecomment-333739194 using your GitHub account
Received on Tuesday, 3 October 2017 04:58:29 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:28 UTC