- From: J.C. Jones <jc@mozilla.com>
- Date: Fri, 15 Jul 2016 17:52:56 -0700
- To: W3C WebAuthn WG <public-webauthn@w3.org>
- Message-ID: <CAObDDPBW=R9o0Ot=6eeRqVD84UQWXHkHikHGu0ZfWX=k58a6iA@mail.gmail.com>
While I continue to think through implementing the current draft, I have encountered another question. Imagine that the RP cares about maintaining maximum control over which Credentials are used, and how many. Let's say this RP wants to use a first-factor, and also require a second-factor that is of a different type than the first. We can do this today, by calling getAssertion() repeatedly with a whitelist containing a single entry each time. This led me to realize that's the simplest form of getAssertion: checking a given credential. The higher-level form, checking a list of them, is syntactic sugar (though with a potential throughput benefit). So my question is: why does getAssertion() need a whitelist? Could we add the getAssertion() method to the Credential, and make it an object? In this object-oriented form, the current whitelist-like approach would be very normal to JS programmers - loop across your list of Credentials, and then use Promise.race() (or maybe all(), depending on how the semantics work out) to find the first completed assertion. Admittedly, more lines of code. This may not be the perfect set of examples, but perhaps others have thoughts along these lines, and whether this is worth pursuing? Thanks, J.C.
Received on Saturday, 16 July 2016 00:53:44 UTC