- From: holycleugh via GitHub <sysbot+gh@w3.org>
- Date: Thu, 07 May 2020 05:32:07 +0000
- To: public-webauthn@w3.org
Hi, I'm trying to resolve a possible conflict between this and the CTAP2 (Jan 30, 2019). Let me know if there's a more appropriate forum to post this question on. In the WebAuthn algorithm, if the credential is excluded and the user declines consent, we return NotAllowedError. However, the CTAP2 spec says >5.1 >If the excludeList parameter is present and contains a credential ID that is present on this authenticator and bound to the specified rpId, wait for user presence, then terminate this procedure and return error code CTAP2_ERR_CREDENTIAL_EXCLUDED. It's possibly ambiguous but it seems to return CTAP2_ERR_CREDENTIAL_EXCLUDED regardless of whether the user gave consent. Should I treat the new WebAuthn guidelines as superseding the older CTAP2 spec and return CTAP2_ERR_OPERATION_DENIED if the user declined consent? -- GitHub Notification of comment by holycleugh Please view or discuss this issue at https://github.com/w3c/webauthn/pull/1326#issuecomment-625038055 using your GitHub account
Received on Thursday, 7 May 2020 05:32:09 UTC