[webauthn] RP guidance for `invalidStateError` returned from `[[Create]]()` (#1331) from =JeffH via GitHub on 2019-10-21 (public-webauthn@w3.org from October 2019)

From: =JeffH via GitHub <sysbot+gh@w3.org>
Date: Mon, 21 Oct 2019 20:58:01 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-510289100-1571691479-sysbot+gh@w3.org>

equalsJeffH has just created a new issue for https://github.com/w3c/webauthn:

== RP guidance for `invalidStateError` returned from `[[Create]]()` ==
the Note that PR #1326 inserts into the explains the purpose of the UV gesture solicited in the `authenticatorMakeCredential()` operation when there are match(es) in the `|excludeCredentialDescriptorList|`. Essentially, we're explaining in the (new) Note that: "if the RP gets an `invalidStateError` back from a nav.creds.Create() call, they can do something user-helpful with that info".

However, this guidance for the RP is buried in "Note:"s in spec sections that _we are not suggesting_ RP devs read (i.e., in the [spec roadmap](https://w3c.github.io/webauthn/#sctn-spec-roadmap)).  

Additionally, our "[RP Ops - registering a new cred](https://w3c.github.io/webauthn/#sctn-registering-a-new-credential)" section only says "abort the ceremony with a user-visible error" if an error is returned from Create().

 Seems like we ought to provide more guidance to the RP reader. Perhaps add this to the "[rp operations - registering a new cred](https://w3c.github.io/webauthn/#sctn-registering-a-new-credential)" section ?

Are there also similar RP considerations for "[RP Ops - verifying an authentication assertion](https://w3c.github.io/webauthn/#sctn-verifying-assertion)" we ought to add to the latter section?

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1331 using your GitHub account

Received on Monday, 21 October 2019 20:58:02 UTC