- From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
- Date: Tue, 19 Nov 2019 15:23:55 +0000
- To: public-webauthn@w3.org
emlun has just created a new issue for https://github.com/w3c/webauthn:
== Ignore transport hints in excludeCredentials? ==
[`PublicKeyCredentialCreationOptions.excludeCredentials`](https://w3c.github.io/webauthn/#dom-publickeycredentialcreationoptions-excludecredentials) is currently a sequence of type `PublicKeyCredentialDescriptor`, which can include transport hints. Is there a use case for considering transport hints in `excludeCredentials`, or should we mandate that clients ignore them in `create()`?
For example, say you register a credential `A` on an Android phone, and the client at the time returns `getTransports(): ["internal"]`. At some later time, Android releases a software upgrade that makes these credentials available over Bluetooth as well. The user connects the phone to a laptop and initiates credential registration, and the RP returns `excludeCredentials: [{ type: "public-key", id: "A", transports: ["internal"] }]`. Now, if the client does consider the transport hints and does not include `A` in the exclude list sent to the authenticator, then the user can register their phone twice to the same account. This is what `excludeCredentials` is intended to prevent.
So I think it probably makes sense to mandate ignoring transport hints in `excludeCredentials`. Ideally the type wouldn't allow them, but I'm not sure this is worth breaking the API.
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1348 using your GitHub account
Received on Tuesday, 19 November 2019 15:24:02 UTC