W3C home > Mailing lists > Public > public-webauthn@w3.org > October 2017

Re: [webauthn] Credential ID uniqueness expectations are inconsistent/vague

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Fri, 06 Oct 2017 13:22:00 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-334752813-1507296106-sysbot+gh@w3.org>
Actually... apparently someone already thought of this. The last paragraph of [6.1. Registering a new credential][make-cred] reads:

>To avoid ambiguity during authentication, the Relying Party SHOULD check that each credential is registered to no more than one user. If registration is requested for a redential that is already registered to a different user, the Relying Party SHOULD fail this ceremony, or it MAY decide to accept the registration, e.g. while deleting the older registration.

How embarassing to have missed that... It might however be worthwile to make this one of the formal algorithm steps.

[make-cred]: https://w3c.github.io/webauthn/#registering-a-new-credential

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/579#issuecomment-334752813 using your GitHub account
Received on Friday, 6 October 2017 13:21:57 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:28 UTC