W3C home > Mailing lists > Public > public-webauthn@w3.org > September 2019

Re: [webauthn] Add privacy considerations about credential IDs (#1250)

From: Max Hata via GitHub <sysbot+gh@w3.org>
Date: Thu, 05 Sep 2019 04:31:36 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-528192275-1567657894-sysbot+gh@w3.org>
> In this case the {{PublicKeyCredentialRequestOptions/allowCredentials}} argument risks leaking [PII],
> if the user can initiate an [=authentication ceremony=] by only providing a username.

"by only providing a username" may sound like it excludes the case where 
a username is derived from "ambient credentials" such as cookies.
To eliminate this concern, how about removing "providing" or something else?

-- 
GitHub Notification of comment by maxhata
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/1250#issuecomment-528192275 using your GitHub account
Received on Thursday, 5 September 2019 04:31:37 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:59:07 UTC