W3C home > Mailing lists > Public > public-webauthn@w3.org > December 2017

Re: [webauthn] Fix #720: Don't return user handle in 2nd factor mode

From: Akshay Kumar via GitHub <sysbot+gh@w3.org>
Date: Fri, 22 Dec 2017 17:30:24 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-353642489-1513963823-sysbot+gh@w3.org>
I am reopening this PR. 

The confusion is coming because 2nd factor != server credentials in all the cases. 

CTAP spec needs clarification as there is no user information returned in authenticatorGetAssertion for server credentials and U2F devices as it is not available to the authenticator. For device resident keys, userID MUST be returned (irrespective of whether credentialID list is provided or not). I will open the clarification PR for CTAP spec. 

Regarding this PR, it needs more work. Irrespective of allow credential ID list is present or not, if authenticator is giving userID back, it should be returned back to the RP. 

So the sections in this PR which talks about whether user ID returned from authenticator is null or not is correct. Sections which talks about removing this information when credential ID list is present in not correct. 

-- 
GitHub Notification of comment by akshayku
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/730#issuecomment-353642489 using your GitHub account
Received on Friday, 22 December 2017 17:30:27 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:30 UTC