>>exclude existing credential
>I think the test is wrong. It's expecting "NotAllowedError" but the spec
says it should be InvalidStateError by my reading.
Yes and no - it depends on what the authenticator returns. If the
authenticator returns "InvalidStateError" (credential exists, user
confirmed consent), then the browser should also return
"InvalidStateError", but otherwise (credential exists, no consent) the
browser should return "NotAllowedError".
/Emil
On Thu, Dec 20, 2018 at 1:18 AM Adam Langley <agl@google.com> wrote:
> On Wed, Dec 19, 2018 at 3:17 PM Adam Langley <agl@google.com> wrote:
>
>> Bad pubKeyCredParams: pubKeyCredParams is empty Array
>>
>> Current Chrome fails this although it was marked as “passing”. It does
>> appear that it's valid for this sequence to be empty. Thus I believe this
>> is a Chrome bug.
>>
>
> WebAuthn and CTAP2 disagree on this point.
>
> WebAuthn clearly thinks that an empty pubKeyCredParams is valid and
> expresses no preference about the algorithm of any resulting credential
> ("The authenticator makes a best-effort to create the most preferred
> credential that it can.")
>
> CTAP2 says "If the pubKeyCredParams parameter does not contain a valid
> COSEAlgorithmIdentifier value that is supported by the authenticator,
> terminate this procedure and return error code
> CTAP2_ERR_UNSUPPORTED_ALGORITHM."
>
> So I can change Chromium to accept an empty list here and for non-CTAP2
> device it'll do something. But CTAP2 devices fail immediately.
>
>
> Cheers
>
> AGL
>
--
Emil Lundberg
Software Developer | Yubico <http://www.yubico.com/>
Received on Thursday, 20 December 2018 12:43:46 UTC