Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

11.3 & 11.4: define the mitigation #143

Closed
samuelweiler opened this issue Oct 7, 2021 · 9 comments
Closed

11.3 & 11.4: define the mitigation #143

samuelweiler opened this issue Oct 7, 2021 · 9 comments
Labels
privacy-tracker Group bringing to attention of Privacy, or tracked by the Privacy Group but not needing response.

Comments

@samuelweiler
Copy link
Member

Can we standardize this mitigation, and is this mitigation sufficient? So rather than "One possible way to defeat this ..." just provide instructions? As in #142, the instructions might better fit elsewhere in the doc.
@samuelweiler samuelweiler added the privacy-needs-resolution Issue the Privacy Group has raised and looks for a response on. label Oct 7, 2021
@samuelweiler samuelweiler changed the title 10.3 define the mitigation 10.3 & 10.4: define the mitigation Oct 7, 2021
@w3cbot w3cbot mentioned this issue Oct 7, 2021
Closed
@stephenmcgruer
Copy link
Collaborator

This issue is effectively a dupe of #77, where this attack is being discussed. The spec should possibly be reworded to make it clear that there is nothing a website (Relying Party or otherwise) can currently do to achieve this mitigation - it is for the spec/user agent to figure out.

@samuelweiler
Copy link
Member Author

samuelweiler commented Oct 28, 2021
edited
Loading

Additionally, I would prefer to see a mitigation that does not require the RP/bank to be well-behaved. What mechanism can we use that works even if the RP won't cooperate, e.g. with the salting scheme?

@cyberphone

This comment was marked as off-topic.

Sign in to view
@stephenmcgruer

This comment was marked as outdated.

Sign in to view
@cyberphone

This comment was marked as off-topic.

Sign in to view
@cyberphone cyberphone mentioned this issue Nov 18, 2021
Open
@stephenmcgruer stephenmcgruer changed the title 10.3 & 10.4: define the mitigation 11.3 & 11.4: define the mitigation Mar 2, 2022
@stephenmcgruer
Copy link
Collaborator

(Note: this is now 11.3 & 11.4)

stephenmcgruer added a commit that referenced this issue Mar 2, 2022
@stephenmcgruer
[Spec] Remove outdated write-up from 11.3
aaf907c 
This section still contained an idea outline (for salting credential IDs) from
when the spec was in its development phrase. The actual idea is in issue #77
and shouldn't be part of the spec itself.

Also added a short paragraph on a possible user mitigation for 11.3, creating
distinct user accounts.

See #143
@stephenmcgruer stephenmcgruer mentioned this issue Mar 2, 2022
Merged
stephenmcgruer added a commit that referenced this issue Mar 2, 2022
@stephenmcgruer @ianbjacobs
[Spec] Remove outdated write-up from 11.3 (#177)
ccf52c9 
This section still contained an idea outline (for salting credential IDs) from
when the spec was in its development phrase. The actual idea is in issue #77
and shouldn't be part of the spec itself.

Also added a short paragraph on a possible user mitigation for 11.3, creating
distinct user accounts.

See #143

Co-authored-by: ianbjacobs <ij@w3.org>
@samuelweiler samuelweiler mentioned this issue May 4, 2022
Closed
@ianbjacobs
Copy link
Collaborator

@samuelweiler, there was agreement at today's call that this is a dup of #77 and we can close it in favor of 77. Do you want to remove the privacy-needs-resolution label?

@samuelweiler samuelweiler added privacy-tracker Group bringing to attention of Privacy, or tracked by the Privacy Group but not needing response. and removed privacy-needs-resolution Issue the Privacy Group has raised and looks for a response on. labels May 4, 2022
@samuelweiler
Copy link
Member Author

I thought I did that earlier. grumble grumble labels grumble.

@ianbjacobs
Copy link
Collaborator

Closed as a duplicate of #77.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
privacy-tracker Group bringing to attention of Privacy, or tracked by the Privacy Group but not needing response.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@stephenmcgruer @ianbjacobs @cyberphone @samuelweiler