Re: [webauthn] Move `allowList` from optional to default on `getAssertion` from Richard Barnes on 2016-09-28 (public-webauthn@w3.org from September 2016)

From: Richard Barnes <rbarnes@mozilla.com>
Date: Wed, 28 Sep 2016 08:36:42 -0700
To: Vijay Bharadwaj via GitHub <sysbot+gh@w3.org>
Cc: "public-webauthn@w3.org" <public-webauthn@w3.org>
Message-ID: <6454505036010029129@unknownmsgid>

I don't see how you arrive at the equivalence -- it's only enforcing that
makeCredential happened before getAssertion.  Says nothing at all about
whether there's any other authentication.

Sent from my iPhone.  Please excuse brevity.

On Sep 28, 2016, at 00:49, Vijay Bharadwaj via GitHub <sysbot+gh@w3.org>
wrote:

Requiring allowList is equivalent to saying that getAssertion can only
provide supplementary authentication, i.e. give you more assurance
about a user whose identity you already sort-of-know. However I
believe we do want to support scenarios where the user can
authenticate with their WebAuthn authenticator and nothing else.

-- 
GitHub Notification of comment by vijaybh
Please view or discuss this issue at
https://github.com/w3c/webauthn/issues/221#issuecomment-250096184
using your GitHub account

Received on Wednesday, 28 September 2016 15:37:14 UTC