- From: Rolf Lindemann via GitHub <sysbot+gh@w3.org>
- Date: Wed, 13 Dec 2017 17:31:21 +0000
- To: public-webauthn@w3.org
Even though the algorithm has changed quite a bit since then, the bug seems to exist today:
In step 5 the information whether the caller provided any entries in options.allowCredentials might get lost be the filtering. Proposal:
5. If options.allowCredentials is NOT empty then
a) execute a platform-specific procedure to determine which, if any, public key credentials described by options.allowCredentials are bound to this authenticator, by matching with rpId, options.allowCredentials.id, and options.allowCredentials.type. Set allowCredentialDescriptorList to this filtered list.
b) if options.allowCredentials is empty then fail with error code something.
step 6 etc. as they are defined today.
--
GitHub Notification of comment by rlin1
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/685#issuecomment-351463861 using your GitHub account
Received on Wednesday, 13 December 2017 17:31:25 UTC