[webauthn] Maybe upgrade user handle PII prohibition to a MUST (#1146) from Adam Langley via GitHub on 2019-01-18 (public-webauthn@w3.org from January 2019)

From: Adam Langley via GitHub <sysbot+gh@w3.org>
Date: Fri, 18 Jan 2019 22:00:59 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-400905342-1547848858-sysbot+gh@w3.org>

agl has just created a new issue for https://github.com/w3c/webauthn:

== Maybe upgrade user handle PII prohibition to a MUST ==
The user handle is not considered to be PII in CTAP2 and in Webauthn [says](https://www.w3.org/TR/webauthn/#user-handle):

> The user handle SHOULD NOT contain personally identifying information about the user, such as a username or e-mail address; see §14.9 User Handle Contents for details.

And [section 14.9](https://www.w3.org/TR/webauthn/#sctn-user-handle-privacy) says:

> Since the user handle is not considered personally identifying information &hellip; the Relying Party SHOULD NOT include personally identifying information

So is it PII or not? If not, the word MUST (rather than SHOULD) would seem to be indicated. I don't know what real-world effect it'll have, but it would be sad if RPs did the wrong thing and cited that lack of a MUST as justification.

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1146 using your GitHub account

Received on Friday, 18 January 2019 22:01:01 UTC