- From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
- Date: Sat, 20 Jan 2018 00:07:54 +0000
- To: public-webauthn@w3.org
Thanks for your detailed response! >>2. The browser notices that one of the excluded parameters is available, ignores that authenticator and waits for another to appear. > >AFAICT, the browser/client-platform does not do this [...] rather the authnr does this [...] and returns `NotAllowedError` Ah yes, that is correct. Either way, the end result is that the client ignores the authenticator in question and keeps waiting for another candidate. >nit: AFAICT the spec does not stipulate whether the browser, client platform, or authenticator prompts the user. Indeed, although [authenticatorMakeCredential][amc] step 6 softly specifies that the authenticator does it if capable, and otherwise the client. I chose to keep it simple because I don't know of existing authenticator hardware that allows active denial of consent (as opposed to passive denial by timeout). >Ah, but the imperative [...] this PR inserted into [#createCredential](https://w3c.github.io/webauthn/#createCredential) step 21 means that the error is not returned before the timer expires, yes? [...] Assuming implementers read and implement all the steps, yes. :) [amc]: https://w3c.github.io/webauthn/#op-make-cred -- GitHub Notification of comment by emlun Please view or discuss this issue at https://github.com/w3c/webauthn/pull/687#issuecomment-359124131 using your GitHub account
Received on Saturday, 20 January 2018 00:07:56 UTC