W3C home > Mailing lists > Public > public-webauthn@w3.org > September 2017

Re: [webauthn] Plumb User ID through

From: Jeffrey Yasskin via GitHub <sysbot+gh@w3.org>
Date: Tue, 19 Sep 2017 16:17:40 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-330592503-1505837848-sysbot+gh@w3.org>
> We only want the user id for the single factor use case (i.e., resident keys). In such a use case, the attacker has to convince the authenticator that it's the legit user -- so know the right PIN or get the device to cough up the assertion. Once the assertion is coughed up -- even if there is no user id -- the attacker can just give it to the RP and not only know the user id but actually see the user data... So IMHO, this is not too much of a concern. WDYT?

I agree in the single-factor use case. I don't see anything in the patch that limits the privacy leak to the single-factor case. Am I missing something, or should we explicitly say that the authenticator shouldn't release the user ID when, e.g., it's been passed a credential ID?

GitHub Notification of comment by jyasskin
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/558#issuecomment-330592503 using your GitHub account
Received on Tuesday, 19 September 2017 16:17:32 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:27 UTC