If RPs are recommended that they SHOULD refuse duplicate credential IDs I think it's not necessary to specify any minimum length or entropy for the credential ID. The worst that would happen is a bad user experience with badly designed authenticators, and that's on the authenticator designer if that's worth ignoring the SHOULD clause. -- GitHub Notification of comment by emlun Please view or discuss this issue at https://github.com/w3c/webauthn/issues/579#issuecomment-331698454 using your GitHub accountReceived on Sunday, 24 September 2017 09:33:11 UTC
This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:27 UTC