W3C home > Mailing lists > Public > public-webauthn@w3.org > September 2016

Re: [webauthn] Move `allowList` from optional to default on `getAssertion`

From: =JeffH via GitHub <sysbot+gh@w3.org>
Date: Wed, 28 Sep 2016 16:50:45 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-250226873-1475081442-sysbot+gh@w3.org>
@vijaybh writes in 
https://lists.w3.org/Archives/Public/public-webauthn/2016Sep/0567.html
 --

Requiring the allowList means that the RP must know which credential 
IDs are relevant in this particular interaction (you would not expect 
Google to send all registered credential IDs in its database for 
example). To narrow that scope, you need some hint saying which user’s
 credential IDs you are looking for. At the same time, you don’t want 
an unauthenticated client to probe for specific account IDs or users 
either. So you must have some basic idea of who the user is (or some 
other way to narrow the list of credential IDs, but similar arguments 
would apply to any other filter).

-- 
GitHub Notification of comment by equalsJeffH
Please view or discuss this issue at 
https://github.com/w3c/webauthn/issues/221#issuecomment-250226873 
using your GitHub account
Received on Wednesday, 28 September 2016 16:50:53 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:23 UTC