W3C home > Mailing lists > Public > public-webauthn@w3.org > December 2017

Re: [webauthn] Bug: getAssertion accidentally calls authenticatorGetAssertion in first factor mode

From: Rolf Lindemann via GitHub <sysbot+gh@w3.org>
Date: Wed, 13 Dec 2017 17:31:21 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-351463861-1513186280-sysbot+gh@w3.org>
Even though the algorithm has changed quite a bit since then, the bug seems to exist today:
In step 5 the information whether the caller provided any entries in options.allowCredentials might get lost be the filtering. Proposal:
5. If options.allowCredentials is NOT empty then
    a) execute a platform-specific procedure to determine which, if any, public key credentials described by options.allowCredentials are bound to this authenticator, by matching with rpId, options.allowCredentials.id, and options.allowCredentials.type. Set allowCredentialDescriptorList to this filtered list.
     b) if options.allowCredentials is empty then fail with error code something.
step 6 etc. as they are defined today.

GitHub Notification of comment by rlin1
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/685#issuecomment-351463861 using your GitHub account
Received on Wednesday, 13 December 2017 17:31:25 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:30 UTC