Re: [webauthn] Only exclude CredIDs matching the RPID

I disagree with adding this into the algorithm steps, as it implies checking the `rpId` of a credential before using it -- which is impossible for the implementing browser to do, as `PublicKeyCredentialDescriptor` doesn't provide a way to check that.

There should be a correspondence between a Credential ID and an RP ID, but it has to be managed by the authenticator. Some authenticators might use business logic here ("I made this CredID for X.Y, but this is for Z.Y, nope!"), some might use cryptography to mix the RP ID into the Credential ID's byte array. That's an implementation detail.

IMO this should go into the security considerations section instead. Maybe something to the effect of:

```
Authenticators, when presented a Credential ID for an RP ID, SHOULD 
ensure that the Credential ID was created for this RP ID before accepting
it for use.
```

-- 
GitHub Notification of comment by jcjones
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/651#issuecomment-338010618 using your GitHub account

Received on Thursday, 19 October 2017 19:22:21 UTC