Re: [webauthn] Add explanatory note to step 3 in authenticatorMakeCredential (#1326)

Hi, I'm trying to resolve a possible conflict between this and the CTAP2 (Jan 30, 2019). Let me know if there's a more appropriate forum to post this question on.

In the WebAuthn algorithm, if the credential is excluded and the user declines consent, we return NotAllowedError. However, the CTAP2 spec says

>If the excludeList parameter is present and contains a credential ID that is present on this authenticator and bound to the specified rpId, wait for user presence, then terminate this procedure and return error code CTAP2_ERR_CREDENTIAL_EXCLUDED.

It's possibly ambiguous but it seems to return CTAP2_ERR_CREDENTIAL_EXCLUDED regardless of whether the user gave consent. Should I treat the new WebAuthn guidelines as superseding the older CTAP2 spec and return CTAP2_ERR_OPERATION_DENIED if the user declined consent?

GitHub Notification of comment by holycleugh
Please view or discuss this issue at using your GitHub account

Received on Thursday, 7 May 2020 05:32:09 UTC