W3C home > Mailing lists > Public > public-webauthn@w3.org > May 2020

Re: [webauthn] Add explanatory note to step 3 in authenticatorMakeCredential (#1326)

From: holycleugh via GitHub <sysbot+gh@w3.org>
Date: Thu, 07 May 2020 05:32:07 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-625038055-1588829526-sysbot+gh@w3.org>
Hi, I'm trying to resolve a possible conflict between this and the CTAP2 (Jan 30, 2019). Let me know if there's a more appropriate forum to post this question on.

In the WebAuthn algorithm, if the credential is excluded and the user declines consent, we return NotAllowedError. However, the CTAP2 spec says

>5.1
>If the excludeList parameter is present and contains a credential ID that is present on this authenticator and bound to the specified rpId, wait for user presence, then terminate this procedure and return error code CTAP2_ERR_CREDENTIAL_EXCLUDED.

It's possibly ambiguous but it seems to return CTAP2_ERR_CREDENTIAL_EXCLUDED regardless of whether the user gave consent. Should I treat the new WebAuthn guidelines as superseding the older CTAP2 spec and return CTAP2_ERR_OPERATION_DENIED if the user declined consent?

-- 
GitHub Notification of comment by holycleugh
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/1326#issuecomment-625038055 using your GitHub account
Received on Thursday, 7 May 2020 05:32:09 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 7 May 2020 05:32:09 UTC