Re: [webauthn] be explict about "same user" is verified at get() time as was verified at create() time

> +1 on clearer step, though I am not sure how to do that. Obviously all platforms use some sort of storage structure to memorize each user and associate the gestures. However, beyond that, I have very limited knowledge of how it is done. I am also not sure about the IP aspect because different device manufacturers use different ways to identify users.

We do not have to get into details. I am thinking we can have a generic high-level fairly abstract statement to the effect that: user verification at [{#getAssertion}]( time must identify the same user as was verified at [{#createCredential}]( time.  or something to that effect that we can agree on. 

GitHub Notification of comment by equalsJeffH
Please view or discuss this issue at using your GitHub account

Received on Thursday, 8 June 2017 01:56:26 UTC