W3C home > Mailing lists > Public > public-webauthn@w3.org > September 2019

Re: [webauthn] Add privacy considerations about credential IDs (#1250)

From: Max Hata via GitHub <sysbot+gh@w3.org>
Date: Thu, 05 Sep 2019 04:31:36 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-528192275-1567657894-sysbot+gh@w3.org>
> In this case the {{PublicKeyCredentialRequestOptions/allowCredentials}} argument risks leaking [PII],
> if the user can initiate an [=authentication ceremony=] by only providing a username.

"by only providing a username" may sound like it excludes the case where 
a username is derived from "ambient credentials" such as cookies.
To eliminate this concern, how about removing "providing" or something else?

GitHub Notification of comment by maxhata
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/1250#issuecomment-528192275 using your GitHub account
Received on Thursday, 5 September 2019 04:31:37 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:59:07 UTC