- From: Jeffrey Yasskin via GitHub <sysbot+gh@w3.org>
- Date: Tue, 19 Sep 2017 16:17:40 +0000
- To: public-webauthn@w3.org
@leshi > We only want the user id for the single factor use case (i.e., resident keys). In such a use case, the attacker has to convince the authenticator that it's the legit user -- so know the right PIN or get the device to cough up the assertion. Once the assertion is coughed up -- even if there is no user id -- the attacker can just give it to the RP and not only know the user id but actually see the user data... So IMHO, this is not too much of a concern. WDYT? I agree in the single-factor use case. I don't see anything in the patch that limits the privacy leak to the single-factor case. Am I missing something, or should we explicitly say that the authenticator shouldn't release the user ID when, e.g., it's been passed a credential ID? -- GitHub Notification of comment by jyasskin Please view or discuss this issue at https://github.com/w3c/webauthn/pull/558#issuecomment-330592503 using your GitHub account
Received on Tuesday, 19 September 2017 16:17:32 UTC