Re: [webauthn] PublicKeyCredentialDescriptor.id and PublicKeyCredentialEntity.id type differ

@herrjemand The developer will not be aware of the id from assertion before they receive the assertion.

The key to keep in mind here is there are two ids: the account id and the credential id. Multiple credentials can be registered for one account. Multiple account cannot register the same credential. When the developer requests registration, they are required to supply the account id. 

In addition, when developer requests registration, they can also optionally provide an excludeList. The excludeList contains a list of credentials (identified by credential id). Developers find out about the list of credentials they want to include by querying the database to find out the credential they don't like from previous registrations. 

-- 
GitHub Notification of comment by AngeloKai
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/504#issuecomment-328149392 using your GitHub account

Received on Friday, 8 September 2017 16:20:44 UTC