-
Notifications
You must be signed in to change notification settings - Fork 40
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
11.3 & 11.4: define the mitigation #143
Comments
This issue is effectively a dupe of #77, where this attack is being discussed. The spec should possibly be reworded to make it clear that there is nothing a website (Relying Party or otherwise) can currently do to achieve this mitigation - it is for the spec/user agent to figure out. |
Additionally, I would prefer to see a mitigation that does not require the RP/bank to be well-behaved. What mechanism can we use that works even if the RP won't cooperate, e.g. with the salting scheme? |
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as off-topic.
This comment was marked as off-topic.
(Note: this is now 11.3 & 11.4) |
This section still contained an idea outline (for salting credential IDs) from when the spec was in its development phrase. The actual idea is in issue #77 and shouldn't be part of the spec itself. Also added a short paragraph on a possible user mitigation for 11.3, creating distinct user accounts. See #143
This section still contained an idea outline (for salting credential IDs) from when the spec was in its development phrase. The actual idea is in issue #77 and shouldn't be part of the spec itself. Also added a short paragraph on a possible user mitigation for 11.3, creating distinct user accounts. See #143 Co-authored-by: ianbjacobs <ij@w3.org>
@samuelweiler, there was agreement at today's call that this is a dup of #77 and we can close it in favor of 77. Do you want to remove the privacy-needs-resolution label? |
I thought I did that earlier. grumble grumble labels grumble. |
Closed as a duplicate of #77. |
Can we standardize this mitigation, and is this mitigation sufficient? So rather than "One possible way to defeat this ..." just provide instructions? As in #142, the instructions might better fit elsewhere in the doc.
The text was updated successfully, but these errors were encountered: