Re: [webauthn] Consider dropping requirement for TUP on create()

I have some open question regarding this topic.
1. The distinction between bound authenticators and roaming authenticators is not a static as one might think.  Let's assume a bound authenticator in a smartphone.  Let's further assume that smartphone supports CTAP protocol and is connected to some laptop using CTAP.  This makes the bound authenticator a roaming authenticator.  Would that authenticator now need to ask for a TUP when creating a new credential?
2. If the bound authenticator doesn't ask for TUP when creating a new credential, are we still assuming that some user was enrolled with this authenticator?  If yes: we should mention such assumption explicitly.  If not: What if user A uses the device when creating the credential and user B then enrolls to the authenticator after that?  This behavior could likely be unexpected for some relying parties.  
3. The FIDO alliance has published some privacy principles (  How would this approach meet those? For example "#1: Require explicit, informed user consent for any operation using personal data".

GitHub Notification of comment by rlin1
Please view or discuss this issue at using your GitHub account

Received on Tuesday, 3 October 2017 04:58:29 UTC