- From: Adam Langley via GitHub <sysbot+gh@w3.org>
- Date: Wed, 12 Sep 2018 16:34:07 +0000
- To: public-webauthn@w3.org
(Replying to questions above. Will reply to inline questions separately.) > How is the sequence of transports to be ordered (beyond the first transport, which is the one that was used for authenticating)? Non-functional ordering differences have been used in the past to fingerprint users without any functional benefit. That's a good point. How about defining it to be lexicographical after the first element? > One suggested mitigation is to provide a "generic value", but it seems like AuthenticatorTransport is an enum without any generic values. Does the enum need an "unknown"/"generic" value added? Or does the IDL allow implementers to return a value not in the specified enumeration? At the highest level, there are two options for how a browser might withhold this information: one is to allow it a distinguished value (e.g. an empty list) which makes it clear that the value was withheld. The other is to have it provide a constant, plausible value which is unrelated to reality. I've chosen the latter here, but I really don't know what something like Tor Browser would prefer. I guess it's pretty obvious to sites that a client is Tor Browser so perhaps the former is preferred? But, assuming the latter, the "generic value" is intended simply to communicate that the client may pick whatever they think provides the largest anonymity set. That may change over time so I didn't want to nail it down here. At the moment, I would suggest ["usb"] as probably the best option. -- GitHub Notification of comment by agl Please view or discuss this issue at https://github.com/w3c/webauthn/pull/1050#issuecomment-420714358 using your GitHub account
Received on Wednesday, 12 September 2018 16:34:09 UTC