- From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
- Date: Fri, 09 Feb 2018 12:29:37 +0000
- To: public-webauthn@w3.org
>@agl: Taking the geolocation extension as an example: browsers would not want that to bypass their geolocations permissions framework. >@selfissued: Also, the spec already says that extensions must be defined in such a way that the generic transform won't result in security or privacy problems. This, then, looks to me like the spec is internally inconsistent. A generic transform of the [`loc`][loc] extension _will_ be passed through as a valid authenticator extension input, the authenticator (if it supports it, of course) will happily include location data in its response, and the client will pass that on to the RP in the authenticator data. The browser would have to actively **opt out** of generically transforming the `loc` extension to prevent it from circumventing the browser's location access controls (because the location data source is the authenticator, not the browser). On the other hand, the authenticator is always assumed to be trusted, right? In some sense, then, the user _does_ consent to sharing location information if they consent to proceeding with the operation, even if this happens to circumvent the browser's access controls - but I guess the issue arises if it's not obvious (or even visible) to the user that the RP requests location data. It doesn't seem unreasonable to expect that someone might market an authenticator with a GPS chip but no display capability. I think the specific case of the `loc` extension could be solved by either (1) specifying that the authenticator MUST obtain clear consent to share the location, or by (2) having the client provide the location data instead of the Boolean `true` as the authenticator input. Perhaps some strategy like that can be generalized to cover future extensions too? [loc]: https://pr-preview.s3.amazonaws.com/selfissued/webauthn/pull/789.html#sctn-location-extension -- GitHub Notification of comment by emlun Please view or discuss this issue at https://github.com/w3c/webauthn/pull/789#issuecomment-364421007 using your GitHub account
Received on Friday, 9 February 2018 12:29:49 UTC