- From: =JeffH via GitHub <sysbot+gh@w3.org>
- Date: Thu, 01 Jun 2017 17:39:12 +0000
- To: public-webauthn@w3.org
Ok, I've pushed new commits, see 912c4ec In spirit of @jyasskin's https://github.com/w3c/webauthn/pull/427#issuecomment-298122535, and additionally given that the AuthenticatorGetAssertion operation and CTAP ostensibly do a bunch of this allowList processing as I noted in https://github.com/w3c/webauthn/pull/427#discussion_r114213505, I backed my over-the-top changes out to close to what is in the master branch, and then modified to just fix (i hope) the `|credentialList|` type issue and the empty-allowList-foregoing-all-processing issue (which is crux of issue #387). This may improve issue #481. Here's some rationale wrt the empty `allowList` (aka `credentialDescriptorList` in the actual algorithm) from issue #387 (captured here to such that it is handy): https://github.com/w3c/webauthn/issues/387#issuecomment-294056421 @equalsJeffH > My understanding is that we need to make empty `allowList` work, and the semantics ought to be that if the `allowList`is empty, the RP is saying "please use any credential you may have associated with my RP ID", and on the client side a platform-specific procedure is used to determine whether any such credentials exist. https://github.com/w3c/webauthn/issues/387#issuecomment-294058725 @jyasskin https://github.com/w3c/webauthn/issues/387#issuecomment-294176048 @vijaybh please review. In the meantime I'm looking into addressing issues #481 and #480 in here... -- GitHub Notification of comment by equalsJeffH Please view or discuss this issue at https://github.com/w3c/webauthn/pull/427#issuecomment-305566274 using your GitHub account
Received on Thursday, 1 June 2017 17:39:18 UTC