W3C home > Mailing lists > Public > public-webauthn@w3.org > September 2016

Re: [webauthn] Move `allowList` from optional to default on `getAssertion`

From: Richard Barnes <rbarnes@mozilla.com>
Date: Wed, 28 Sep 2016 08:36:42 -0700
Message-ID: <6454505036010029129@unknownmsgid>
To: Vijay Bharadwaj via GitHub <sysbot+gh@w3.org>
Cc: "public-webauthn@w3.org" <public-webauthn@w3.org>
I don't see how you arrive at the equivalence -- it's only enforcing that
makeCredential happened before getAssertion.  Says nothing at all about
whether there's any other authentication.

Sent from my iPhone.  Please excuse brevity.

On Sep 28, 2016, at 00:49, Vijay Bharadwaj via GitHub <sysbot+gh@w3.org>
wrote:

Requiring allowList is equivalent to saying that getAssertion can only
provide supplementary authentication, i.e. give you more assurance
about a user whose identity you already sort-of-know. However I
believe we do want to support scenarios where the user can
authenticate with their WebAuthn authenticator and nothing else.

-- 
GitHub Notification of comment by vijaybh
Please view or discuss this issue at
https://github.com/w3c/webauthn/issues/221#issuecomment-250096184
using your GitHub account
Received on Wednesday, 28 September 2016 15:37:14 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:23 UTC