W3C home > Mailing lists > Public > public-webauthn@w3.org > January 2019

[webauthn] Maybe upgrade user handle PII prohibition to a MUST (#1146)

From: Adam Langley via GitHub <sysbot+gh@w3.org>
Date: Fri, 18 Jan 2019 22:00:59 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-400905342-1547848858-sysbot+gh@w3.org>
agl has just created a new issue for https://github.com/w3c/webauthn:

== Maybe upgrade user handle PII prohibition to a MUST ==
The user handle is not considered to be PII in CTAP2 and in Webauthn [says](https://www.w3.org/TR/webauthn/#user-handle):

> The user handle SHOULD NOT contain personally identifying information about the user, such as a username or e-mail address; see ยง14.9 User Handle Contents for details.

And [section 14.9](https://www.w3.org/TR/webauthn/#sctn-user-handle-privacy) says:

> Since the user handle is not considered personally identifying information &hellip; the Relying Party SHOULD NOT include personally identifying information

So is it PII or not? If not, the word MUST (rather than SHOULD) would seem to be indicated. I don't know what real-world effect it'll have, but it would be sad if RPs did the wrong thing and cited that lack of a MUST as justification.

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1146 using your GitHub account
Received on Friday, 18 January 2019 22:01:01 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:36 UTC