- From: Vijay Bharadwaj via GitHub <sysbot+gh@w3.org>
- Date: Wed, 22 Mar 2017 17:01:36 +0000
- To: public-webauthn@w3.org
@jyasskin - AIUI this is seeking to define the difference between different levels of functionality from the authenticator: - For some authenticators, such as the ones you allude to, the private key material is in the Credential ID. So without a Credential ID, the authenticator is helpless - it cannot provide any assertions. From an RP perspective, this means that they must figure out who the user is first (to some level of confidence) so that they can supply that user's Credential IDs in the allowList to getAssertion. - For richer authenticators, there is onboard storage. So given only an RP ID, the authenticator can pick a credential (perhaps even with help from the user, if it has UI) and generate an assertion. From the RP's perspective, they can just have the same getAssertion call with an empty allowList for all users, and figure out the username (or more generally, account ID) from the assertion they receive. The idea is that RPs who only want to build the second type of experience should be able to indicate that. -- GitHub Notification of comment by vijaybh Please view or discuss this issue at https://github.com/w3c/webauthn/pull/378#issuecomment-288467611 using your GitHub account
Received on Wednesday, 22 March 2017 17:01:44 UTC