W3C home > Mailing lists > Public > public-webauthn@w3.org > September 2016

Re: [webauthn] Move `allowList` from optional to default on `getAssertion`

From: Richard Barnes <rbarnes@mozilla.com>
Date: Wed, 28 Sep 2016 08:36:42 -0700
Message-ID: <6454505036010029129@unknownmsgid>
To: Vijay Bharadwaj via GitHub <sysbot+gh@w3.org>
Cc: "public-webauthn@w3.org" <public-webauthn@w3.org>
I don't see how you arrive at the equivalence -- it's only enforcing that
makeCredential happened before getAssertion.  Says nothing at all about
whether there's any other authentication.

Sent from my iPhone.  Please excuse brevity.

On Sep 28, 2016, at 00:49, Vijay Bharadwaj via GitHub <sysbot+gh@w3.org>

Requiring allowList is equivalent to saying that getAssertion can only
provide supplementary authentication, i.e. give you more assurance
about a user whose identity you already sort-of-know. However I
believe we do want to support scenarios where the user can
authenticate with their WebAuthn authenticator and nothing else.

GitHub Notification of comment by vijaybh
Please view or discuss this issue at
using your GitHub account
Received on Wednesday, 28 September 2016 15:37:14 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:23 UTC