Re: [webauthn] be explict about "same user" is verified at get() time as was verified at create() time from =JeffH via GitHub on 2017-06-08 (public-webauthn@w3.org from June 2017)

From: =JeffH via GitHub <sysbot+gh@w3.org>
Date: Thu, 08 Jun 2017 01:56:20 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-306975814-1496886979-sysbot+gh@w3.org>

> +1 on clearer step, though I am not sure how to do that. Obviously all platforms use some sort of storage structure to memorize each user and associate the gestures. However, beyond that, I have very limited knowledge of how it is done. I am also not sure about the IP aspect because different device manufacturers use different ways to identify users.

We do not have to get into details. I am thinking we can have a generic high-level fairly abstract statement to the effect that: user verification at [{#getAssertion}](https://w3c.github.io/webauthn/#getAssertion) time must identify the same user as was verified at [{#createCredential}](https://w3c.github.io/webauthn/#createCredential) time.  or something to that effect that we can agree on. 

-- 
GitHub Notification of comment by equalsJeffH
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/493#issuecomment-306975814 using your GitHub account

Received on Thursday, 8 June 2017 01:56:26 UTC