[webauthn] Consider empty allowLists

jyasskin has just created a new issue for https://github.com/w3c/webauthn:

== Consider empty allowLists ==
https://w3c.github.io/webauthn/#getAssertion currently says:

> 11. For each authenticator currently available on this platform, perform the following steps:
>     1. Let *credentialList* be a new list.
>     1. If `options.allowList` is not empty, execute a platform-specific procedure to determine which, if any, credentials in `options.allowList` are present on this authenticator by matching with `options.allowList.id` and `options.allowList.type`, and set *credentialList* to this filtered list.
>     1. If *credentialList* is empty then continue.

If `allowList` is empty, `credentialList` remains empty, and every authenticator is skipped, which makes the call less than useful. However, not all examples include an `allowList` (e.g. https://w3c.github.io/webauthn/#sample-extensions), and the [`AssertionOptions`](https://w3c.github.io/webauthn/#dictdef-assertionoptions) definition defaults it to the empty list instead of making it required. #378 also wants to remove the technical need to pass an ID through the `allowList` for every `getAssertion()` call.

I think the spec should either consistently avoid empty `allowList`s or make them work, but I don't have an opinion which.

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/387 using your GitHub account

Received on Wednesday, 22 March 2017 19:01:42 UTC