[webauthn] Regarding the issue of Credential ID exposure, from what perspective should RP compare RK and NRK and which should be adopted? (#1484) from Keiko Itakura via GitHub on 2020-09-15 (public-webauthn@w3.org from September 2020)

From: Keiko Itakura via GitHub <sysbot+gh@w3.org>
Date: Tue, 15 Sep 2020 23:13:52 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-702331197-1600211631-sysbot+gh@w3.org>

keikoit has just created a new issue for https://github.com/w3c/webauthn:

== Regarding the issue of Credential ID exposure, from what perspective should RP compare RK and NRK and which should be adopted? ==
Thank you for the other day which I have received a quick response to the #1475  Issue.

Let me raise another discussion in this regard.

I think there are various countermeasures for exposing the Credential ID.
RP has to think about how effective they can be, how much complex work RP will have to do, and how it will affect usability for consumers.

On the other hand, if we use RK and set AllowCredentials = empty, the server does not need to send the CredentialID, which I think is one of the fundamental solution to this problem.

I think it would be good to mention this point in the specifications and encourage the RP to decide whether to use RK or NRK in a balance with each risk judgment and ease of implementation.

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1484 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Tuesday, 15 September 2020 23:13:53 UTC