- From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
- Date: Fri, 16 Feb 2018 21:30:45 +0000
- To: public-webauthn@w3.org
@leshi Oh, my bad - I guess I was reading [an outdated draft?][ctap] >1. If the excludeList parameter is present and contains a credential ID that is present on this authenticator, terminate this procedure and return error code CTAP2_ERR_CREDENTIAL_EXCLUDED. @kpaulh Ah, a fake sign request is a clever way to work around it! That seems to me like a good solution: reply with some kind of `AlreadyRegisteredError` if the user does confirm the sign action, and the ambiguous `NotAllowedError` if the user does not confirm it. I suppose that _could_ be confusing if the authenticator has a rich interface and makes create and sign operations substantially different. I imagine that could perhaps become an issue with U2F on "Intel Online Connect", for example, but it seems minor compared to the other issues discussed here. [ctap]: https://fidoalliance.org/specs/fido-v2.0-rd-20170927/fido-client-to-authenticator-protocol-v2.0-rd-20170927.html#authenticatorMakeCredential -- GitHub Notification of comment by emlun Please view or discuss this issue at https://github.com/w3c/webauthn/issues/806#issuecomment-366363969 using your GitHub account
Received on Friday, 16 February 2018 21:30:51 UTC