- From: Boris Zbarsky via GitHub <sysbot+gh@w3.org>
- Date: Thu, 06 Apr 2017 17:12:27 +0000
- To: public-webauthn@w3.org
OK, let's step through the spec. https://w3c.github.io/webauthn/#getAssertion step 13 says: > For each authenticator in issuedRequests invoke the authenticatorCancel operation onn authenticator and remove authenticator from issuedRequests. This will issue an authenticatorCancel for every authenticator in issuedRequests. issuedRequests contains things placed there in step 11; it has no reference to "authenticator session"s. https://w3c.github.io/webauthn/#authenticatorcancel does refer to "authenticator session". OK, so where is that coming from? https://w3c.github.io/webauthn/#authenticator-ops says that authenticator sessions need to exist, but doesn't define what they actually contain. In any case, the problem is that the authenticatorCancel call from https://w3c.github.io/webauthn/#getAssertion step 13 has no reference to any "authenticator session". So either there is one global one that it can grab, or the authenticatorCancel is happening in a new session. If the intent is that it happen in the same authenticator session as the authenticatorGetAssertion call in step 11, that needs to be clearly specified. I'm also not sure what the "This operation must be invoked in an authenticator session which has no other operations in progress." bit means in https://w3c.github.io/webauthn/#authenticatorgetassertion and <https://w3c.github.io/webauthn/#op-make-cred>. Does it mean that if there is no such session a new session should be created? Does it mean that you have to wait for such a session to become available? The places that invoke the operation certainly don't check this, so it can't be an actual precondition.... -- GitHub Notification of comment by bzbarsky Please view or discuss this issue at https://github.com/w3c/webauthn/issues/283#issuecomment-292242314 using your GitHub account
Received on Thursday, 6 April 2017 17:12:34 UTC