Re: [webauthn] Credential ID uniqueness expectations are inconsistent/vague from Emil Lundberg via GitHub on 2017-10-06 (public-webauthn@w3.org from October 2017)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Fri, 06 Oct 2017 13:22:00 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-334752813-1507296106-sysbot+gh@w3.org>

Actually... apparently someone already thought of this. The last paragraph of [6.1. Registering a new credential][make-cred] reads:

>To avoid ambiguity during authentication, the Relying Party SHOULD check that each credential is registered to no more than one user. If registration is requested for a redential that is already registered to a different user, the Relying Party SHOULD fail this ceremony, or it MAY decide to accept the registration, e.g. while deleting the older registration.

How embarassing to have missed that... It might however be worthwile to make this one of the formal algorithm steps.

[make-cred]: https://w3c.github.io/webauthn/#registering-a-new-credential

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/579#issuecomment-334752813 using your GitHub account

Received on Friday, 6 October 2017 13:21:57 UTC