This spec already describes two [conformance classes](https://w3c.github.io/webauthn/#conformance): the [UA/Client](https://w3c.github.io/webauthn/#api) and the [Authenticator](https://w3c.github.io/webauthn/#authenticator-model). Adding a third, the [Relying Party](https://w3c.github.io/webauthn/#rp-operations), seems reasonable to me, and I don't think it's terrible to keep it in this document. UA implementers will just be able to ignore that section. It is, of course, important to specify the UA without assuming the Relying Party behaves as specified and vice versa, but I don't see violations of that in the current spec. I would suggest that the Relying Party spec specify the whole sequence of operations *around* the call to `makeCredential()`/`ScopedCredential.create()` or `getAssertion()`/`navigator.credentials.get({scoped})` instead of just the code after those functions return. One problem with only specifying the suffix is that it omits the requirement that `challenge` be a nonce. -- GitHub Notification of comment by jyasskin Please view or discuss this issue at https://github.com/w3c/webauthn/issues/88#issuecomment-288234647 using your GitHub accountReceived on Tuesday, 21 March 2017 22:07:44 UTC
This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:25 UTC