Re: [webauthn] Credential ID uniqueness expectations are inconsistent/vague

If RPs are recommended that they SHOULD refuse duplicate credential IDs I think it's not necessary to specify any minimum length or entropy for the credential ID. The worst that would happen is a bad user experience with badly designed authenticators, and that's on the authenticator designer if that's worth ignoring the SHOULD clause.

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/579#issuecomment-331698454 using your GitHub account

Received on Sunday, 24 September 2017 09:33:11 UTC