[webauthn] Divide Security/Privacy Considerations into subsections by audience?

• From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
• Date: Tue, 14 Aug 2018 12:15:55 +0000
• To: public-webauthn@w3.org
• Message-ID: <issues.opened-350402498-1534248954-sysbot+gh@w3.org>

emlun has just created a new issue for https://github.com/w3c/webauthn:

== Divide Security/Privacy Considerations into subsections by audience? ==
The Security Considerations and Privacy Considerations sections have grown quite large (9 A4 pages when printed as PDF at the time of writing), and it's not obvious by looking at the table of contents which subsections are relevant to which audiences:

13. Security Considerations
    13.1. Cryptographic Challenges
    13.2. Attestation Security Considerations
        13.2.1. Attestation Certificate Hierarchy
        13.2.2. Attestation Certificate and Attestation Certificate CA Compromise
    13.3. Security Benefits for WebAuthn Relying Parties
        13.3.1. Considerations for Self and None Attestation Types and Ignoring Attestation
    13.4. credentialId Unsigned
    13.5. Browser Permissions Framework and Extensions
14. Privacy Considerations
    14.1. De-anonymization prevention measures
    14.2. Anonymous, scoped, non-correlatable public key credentials
    14.3. Authenticator-local biometric recognition
    14.4. Attestation Privacy
    14.5. Registration Ceremony Privacy
    14.6. Authentication Ceremony Privacy
    14.7. Privacy between operating system accounts

Perhaps we should divide them into subsections by audience - maybe something like this?

13. Implementation Considerations
    1. Security Considerations
        1. Attestation Certificate and Attestation Certificate CA Compromise
        2. credentialId Unsigned
        3. Security Considerations for Authenticators
            1. Attestation Certificate Hierarchy
        4. Security Considerations for Clients
            1. Browser Permissions Framework and Extensions
        5. Security Considerations for Relying Parties
            1. Cryptographic Challenges
            2. Security Benefits for WebAuthn Relying Parties
                1. Considerations for Self and None Attestation Types and Ignoring Attestation
    2. Privacy Considerations
        1. De-anonymization prevention measures
        2. Anonymous, scoped, non-correlatable public key credentials
        3. Authenticator-local biometric recognition
        4. Privacy Considerations for Authenticators
            1. Attestation Privacy
        5. Privacy Considerations for Clients
            1. Registration Ceremony Privacy
            2. Authentication Ceremony Privacy
            3. Privacy between operating system accounts

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1039 using your GitHub account

Received on Tuesday, 14 August 2018 12:15:56 UTC