Re: [webauthn] credentialList needs to be non-empty in order to call authenticatorGetAssertion

not a duplicate of issue #387 tho closely related i think.  I will try to address this in PR #427, if I understand this issue correctly. 

A consideration regarding roaming authnrs is that if a roaming authnr is also multi-factor (nee first-factor), then the [credential private key is stored in the authnr's internal storage]( -- i think this is the rationale behind your 3d parag where you say:
> our current approach doesn't allow roaming authenticators (i.e. in which the platform doesn't know which credentials are related to the authenticator) 


where you say:
> **_without_** expecting it to be used as a second-factor (i.e. in a situation in which the RP server could already provide the credentialList).

Should "**_without_**" actually be "**_unless_**" ?

> We could modify step 13.3 in section 4.1.4 to say:

It seems you are referring to the spec revision?  Might be better to refer to [the editor's draft]( [section 4.1.4]( is `{#getAssertion}`. Tho the step you refer to is now step 15.  

GitHub Notification of comment by equalsJeffH
Please view or discuss this issue at using your GitHub account

Received on Wednesday, 31 May 2017 23:16:02 UTC