Privacy across Account IDs

[yaronf]

4.5: excludeList allows an RP to tie different identities, i.e. to check if Alice and Bob are both used as identities on the same authenticator. This is because each of the CredentialDescription structures can contain a different id value, whereas if we only wanted to prevent multiple credentials for the same account, we would simply use the id value of the Account structure. Is this an attack we are willing to live with? Why not require (or allow) user consent for this step, e.g. "RP X wants to see other identities you have with it, do you allow that?"

@vijaybh: One issue is that there are authenticators which have no local storage, but encode the entire credential and all its metadata into the credential ID. So for these authenticators, a credential ID is required. However, the authenticator could ignore any excludeList entries that are not for the same account ID.

[vijaybh]

Doesn't that just create another attack where the bad guy can find out which credential IDs map to which account IDs?

I think you express a valid concern BTW, just trying to figure out if there is any way to solve it without just displacing the problem.

[yaronf]

I agree this is a problem, I just think it's less important, because it only applies to users who use multiple authenticators (multiple mobile devices?) to authenticate to the same account. And as far as I know, this is less common than having multiple accounts for the same user with the same device.

[equalsJeffH]

see also #184

[equalsJeffH]

see also issue
#140