Re: Is the getAssertion whitelist necessary? from J.C. Jones on 2016-07-17 (public-webauthn@w3.org from July 2016)

From: J.C. Jones <jc@mozilla.com>
Date: Sun, 17 Jul 2016 05:44:47 -0700
To: Vijay Bharadwaj <vijaybh@microsoft.com>, Jeff Hodges <jeff.hodges@paypal.com>
Cc: W3C WebAuthn WG <public-webauthn@w3.org>
Message-ID: <CAObDDPBgmcvtLvmwD0s35Mz8y7oRkF_7VTotgt6po+Kwk3nMcg@mail.gmail.com>

Replying to both Vijay and Jeff:

On Fri, Jul 15, 2016 at 11:58 PM, Vijay Bharadwaj <vijaybh@microsoft.com>
wrote:

> How would you create the Credential object?
>

Instead of just constructing a dictionary, we'd need a constructor of some
fashion.

On Sat, Jul 16, 2016 at 3:01 AM, Hodges, Jeff <jeff.hodges@paypal.com>
wrote:

> On 7/15/16, 5:52 PM, "J.C. Jones" <jc@mozilla.com> wrote:
> >So my question is: why does getAssertion() need a whitelist? Could we add
> >the getAssertion() method to the Credential, and make it an object?
>
> this actually was an earlier design predating the submitted specs
> <https://www.w3.org/Submission/2015/02/>
>
> IIRC, moving to the whitelist approach with getAssertion() more naturally
> accommodated use cases involving external/roaming/portable authenticators
> (authnrs). perhaps we need to elucidate the design rationale...
>

Interesting; this must be some timing issue? Naively, it seems like it
would work the same, as you can build the current behavior out of the
'atomic' one.

It might be worth documenting, at least before the wider public asks the
same questions.

Cheers,
J.C.

Received on Sunday, 17 July 2016 12:45:35 UTC