W3C home > Mailing lists > Public > public-webauthn@w3.org > December 2017

Re: [webauthn] Fix #720: Don't return user handle in 2nd factor mode

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Mon, 25 Dec 2017 14:44:13 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-353873633-1514213052-sysbot+gh@w3.org>
Summary of currently proposed changes:

- `AuthenticatorAssertionResponse.userHandle` is now nullable.
- The authenticator MAY now skip storing the user handle for credentials that do not have a client-side-resident credential private key. (CTAP [currently does this][ctap])
- The authenticator now always returns the user handle if it is available.
- The client now returns `userHandle: null` if the authenticator did not return the user handle.

However it looks like CTAP is internally inconsistent: the `user` argument to authenticatorMakeCredential is stored only for resident keys, but the `user` attribute is required in the authenticatorGetAssertion response...

[ctap]: https://fidoalliance.org/specs/fido-v2.0-rd-20170927/fido-client-to-authenticator-protocol-v2.0-rd-20170927.html#h3_authenticatorMakeCredential

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/730#issuecomment-353873633 using your GitHub account
Received on Monday, 25 December 2017 14:44:15 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:30 UTC