- From: =JeffH via GitHub <sysbot+gh@w3.org>
- Date: Wed, 28 Sep 2016 16:50:45 +0000
- To: public-webauthn@w3.org
@vijaybh writes in https://lists.w3.org/Archives/Public/public-webauthn/2016Sep/0567.html -- Requiring the allowList means that the RP must know which credential IDs are relevant in this particular interaction (you would not expect Google to send all registered credential IDs in its database for example). To narrow that scope, you need some hint saying which user’s credential IDs you are looking for. At the same time, you don’t want an unauthenticated client to probe for specific account IDs or users either. So you must have some basic idea of who the user is (or some other way to narrow the list of credential IDs, but similar arguments would apply to any other filter). -- GitHub Notification of comment by equalsJeffH Please view or discuss this issue at https://github.com/w3c/webauthn/issues/221#issuecomment-250226873 using your GitHub account
Received on Wednesday, 28 September 2016 16:50:53 UTC