- From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
- Date: Thu, 06 Sep 2018 11:54:44 +0000
- To: public-webauthn@w3.org
As we discussed on the 2018-09-05 WG call, it seems like we were discussing past each other a bit. The bit I find confusing about this PR is this (emphasis added): >Note: [=[RPS]=] may [=credentials map|map=] multiple [=public key credentials=] to a user account **by mapping multiple user handles to the account**. The points I was trying to make were: - It's not necessary to have multiple user handles for the same account in order to have multiple credentials for that account - Although one authenticator can indeed only have one credential for a given (rpId, userHandle) pair, it's possible to create another credential with the same (rpId, userHandle) pair on a different authenticator. - Different user accounts are expected (by my estimation) to have different user handles. The main counterpoint was: - It's concievable that RPs may not want to use user handles, and opt to set the user handle to, for example, the empty byte array for all users. In this case it's not possible to have credentials for different accounts on the same authenticator, since they share the same user handle. The RP can work around this by mapping multiple user handles to the same account. Would it be possible (and desirable) to get both of these subtleties across? -- GitHub Notification of comment by emlun Please view or discuss this issue at https://github.com/w3c/webauthn/pull/1052#issuecomment-419066172 using your GitHub account
Received on Thursday, 6 September 2018 11:54:45 UTC