Re: [webauthn] imageURL privacy

Please remind me, why isn't icon part of [PublicKeyCredentialUserEntity](https://w3c.github.io/webauthn/#sctn-user-credential-params)?

I think it is valuable to have icon images e.g. if the authenticator is implemented on a smart watch or smart phone.

My opinion:
The origins of the icon URL and the RP origin MUST match.
The icon URL must be secure.
Passing icon data to the Authenticator is optional.
The Conforming User Agent MAY re-scale the image data before passing it to the Authenticator.
The Conforming User Agent MUST NOT pass non-image data or unsupported image data to the Authenticator. If the Conforming User Agent passes any image data to the Authenticator then PNG MUST be supported.
If the icon data is passed to the Authenticator then the Conforming User Agent MUST download the icon data once at makeCredential-time and convert it to a "data:image/png;base64" before passing it to the authenticator. 
If the icon data is NOT passed to the Authenticator but the Conforming User Agent provides an UI that shows the image then the Conforming User Agent SHOULD download the icon data once at makeCredential-time and SHOULD not download it again to protect the privacy of the user.

-- 
GitHub Notification of comment by AxelNennker
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/139#issuecomment-329716679 using your GitHub account

Received on Friday, 15 September 2017 08:27:12 UTC