W3C home > Mailing lists > Public > public-webauthn@w3.org > May 2017

Re: [webauthn] credentialList needs to be non-empty in order to call authenticatorGetAssertion

From: =JeffH via GitHub <sysbot+gh@w3.org>
Date: Wed, 31 May 2017 23:15:56 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-305344857-1496272555-sysbot+gh@w3.org>
not a duplicate of issue #387 tho closely related i think.  I will try to address this in PR #427, if I understand this issue correctly. 

A consideration regarding roaming authnrs is that if a roaming authnr is also multi-factor (nee first-factor), then the [credential private key is stored in the authnr's internal storage](https://fidoalliance.org/specs/fido-uaf-v1.1-id-20170202/fido-uaf-authnr-cmds-v1.1-id-20170202.html#first-factor-roaming-authenticator) -- i think this is the rationale behind your 3d parag where you say:
> our current approach doesn't allow roaming authenticators (i.e. in which the platform doesn't know which credentials are related to the authenticator) 

..yes?

where you say:
> **_without_** expecting it to be used as a second-factor (i.e. in a situation in which the RP server could already provide the credentialList).

Should "**_without_**" actually be "**_unless_**" ?

> We could modify step 13.3 in section 4.1.4 to say:

It seems you are referring to the https://www.w3.org/TR/webauthn/ spec revision?  Might be better to refer to [the editor's draft](https://w3c.github.io/webauthn/). [section 4.1.4](https://w3c.github.io/webauthn/#getAssertion) is `{#getAssertion}`. Tho the step you refer to is now step 15.  




-- 
GitHub Notification of comment by equalsJeffH
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/481#issuecomment-305344857 using your GitHub account
Received on Wednesday, 31 May 2017 23:16:02 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:26 UTC