[webauthn] credential ID returned by authenticatorGetAssertion() is optional if allowList has exactly one member from =JeffH via GitHub on 2017-05-23 (public-webauthn@w3.org from May 2017)

From: =JeffH via GitHub <sysbot+gh@w3.org>
Date: Tue, 23 May 2017 01:33:44 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-230563079-1495503223-sysbot+gh@w3.org>

equalsJeffH has just created a new issue for https://github.com/w3c/webauthn:

== credential ID returned by authenticatorGetAssertion() is optional if allowList has exactly one member ==
[The authenticatorGetAssertion operation](https://www.w3.org/TR/webauthn/#op-get-assertion) says:
> On successful completion, the authenticator returns to the user agent:
    * **_The identifier of the credential used to generate the signature_**.
    * The authenticator data used to generate the signature.
    * The assertion signature.

However, the [CTAP spec](https://fidoalliance.org/specs/fido-v2.0-rd-20161004/fido-client-to-authenticator-protocol-v2.0-rd-20161004.html) says in [4.2 authenticatorGetAssertion](https://fidoalliance.org/specs/fido-v2.0-rd-20161004/fido-client-to-authenticator-protocol-v2.0-rd-20161004.html#authenticatorgetassertion): 
>On success, the authenticator must return the following structure in its response:
```
Member name  Data type   Required?  Definition
credential   Credential  Optional   Credential whose private key was used to 
                                     generate the assertion. May be
                                     omitted if the whitelist has exactly 
                                     one Credential.
[...]
```
..which would seem to be an optimization for CTAP where it does not have to return as many bytes (in what may be a common case).

Update WebAuthn to reflect this? 


Please view or discuss this issue at https://github.com/w3c/webauthn/issues/472 using your GitHub account

Received on Tuesday, 23 May 2017 01:33:51 UTC