Re: [webauthn] PublicKeyCredentialDescriptor.id and PublicKeyCredentialEntity.id type differ

The two fields should be of those types. Looking through the description, my guess is there is a misunderstanding of what the fields do. When the MDN documentation is out, the issues would become clearer. 

PublicKeyCredentialEntity.id is the rp.id field. This field is used for web developers to specify which origin the keys should belong to (no larger than eTLD+1). 

PublicKeyCredentialUserEntity.id is the user.id field. This field is used for web developers to specify what the user account's id is. More often than not, developers have an established database that contain the user account information, including the unique id assigned to each user. Most databases just use string instead of binary array to specify such id. Using string for this id field also makes things easier for web developers. 

PublicKeyCredentialDescriptor.id is used for developers to specify which credential they want to allow/exclude in this transaction. Here the id comes from the credential itself. Developers retrieve this id by decoding the Authenticator Data field and would most likely get a binary blob out anyway. Keeping this field as a BufferSource makes things much easier for them. 

Overall, by keeping the two id field as two types of data, we are helping web developers understand the difference between all the various identities involved in the webauthn transaction and preventing them from making mistakes. Your above demo is a mistakened way of using the fields. Our current design helps you find your mistakes sooner. 


-- 
GitHub Notification of comment by AngeloKai
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/504#issuecomment-327951133 using your GitHub account

Received on Thursday, 7 September 2017 23:07:04 UTC