W3C home > Mailing lists > Public > public-webauthn@w3.org > March 2017

Re: [webauthn] Spec should not mandate behavior of server

From: Jeffrey Yasskin via GitHub <sysbot+gh@w3.org>
Date: Tue, 21 Mar 2017 22:07:37 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-288234647-1490134055-sysbot+gh@w3.org>
This spec already describes two [conformance classes](https://w3c.github.io/webauthn/#conformance): the [UA/Client](https://w3c.github.io/webauthn/#api) and the [Authenticator](https://w3c.github.io/webauthn/#authenticator-model). Adding a third, the [Relying Party](https://w3c.github.io/webauthn/#rp-operations), seems reasonable to me, and I don't think it's terrible to keep it in this document. UA implementers will just be able to ignore that section.

It is, of course, important to specify the UA without assuming the Relying Party behaves as specified and vice versa, but I don't see violations of that in the current spec.

I would suggest that the Relying Party spec specify the whole sequence of operations *around* the call to  `makeCredential()`/`ScopedCredential.create()` or `getAssertion()`/`navigator.credentials.get({scoped})` instead of just the code after those functions return. One problem with only specifying the suffix is that it omits the requirement that `challenge` be a nonce.

-- 
GitHub Notification of comment by jyasskin
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/88#issuecomment-288234647 using your GitHub account
Received on Tuesday, 21 March 2017 22:07:44 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:25 UTC