[webauthn] Issue: Credential.id currently assumed to be RP unique marked as stat:OKtoDo from bifurcation via GitHub on 2016-05-04 (public-webauthn@w3.org from May 2016)

From: bifurcation via GitHub <sysbot+gh@w3.org>
Date: Wed, 04 May 2016 17:13:46 +0000
To: public-webauthn@w3.org
Message-ID: <issues.labeled-140512432-None-sysbot+gh@w3.org>

bifurcation has just labeled an issue for 
https://github.com/w3c/webauthn as "stat:OKtoDo":

== Credential.id currently assumed to be RP unique ==
<a href="https://github.com/rlin1"><img 
src="https://avatars.githubusercontent.com/u/2264687?v=3" align="left"
 width="96" height="96" hspace="10"></img></a> **Originally submitted 
by: [rlin1](https://github.com/rlin1)**, on: _Friday Jan 08, 2016 at 
12:04 GMT_

----

getAssertion returns Assertion.  Assertion includes id as the only 
method to map it to a specific user account.
Until now FIDO assumed the pair of 
(AAID/AAGUID/attestationCertificateKeyIdentifier, KeyID) to be RP 
unique.  
In FIDO2 KeyID has been replaced by Credential.id.
At this time there is no guaranteed way to derive the AAGUID from a 
FIDOAssertion.
As a result we implicitly assume KeyID (i.e. Credential.id) to be RP 
unique.


See https://github.com/w3c/webauthn/issues/38

Received on Wednesday, 4 May 2016 17:15:42 UTC