W3C home > Mailing lists > Public > public-webauthn@w3.org > October 2017

Re: [webauthn] Consider dropping requirement for TUP on create()

From: Johan Verrept via GitHub <sysbot+gh@w3.org>
Date: Wed, 04 Oct 2017 08:38:39 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-334087718-1507106305-sysbot+gh@w3.org>
I'm not so sure there are no privacy considerations. Basically, you are allowing any RP to uniquely identify any system with such an authenticator.

All that is needed is a makeCredential call with a requirement for an attached authenticator without UP requirement and an exclude list. If no new credential is created, this particular credential identifies this system.  The only practical limit is the time you have to test credentials.

As for practical applications, it would be trivial to use this to validate possible correlations between users.


-- 
GitHub Notification of comment by jovasco
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/564#issuecomment-334087718 using your GitHub account
Received on Wednesday, 4 October 2017 08:39:22 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:28 UTC