W3C home > Mailing lists > Public > public-webauthn@w3.org > September 2020

Re: [webauthn] New platform authenticators are making discoverable credentials regardless of residentKey=false passed to Create() (#1457)

From: Shane Weeden via GitHub <sysbot+gh@w3.org>
Date: Fri, 11 Sep 2020 10:23:17 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-691013409-1599819796-sysbot+gh@w3.org>
I don’t think that it’s clear whether or not Android stores a client side resident key. What is clear is that Chrome on Android doesn’t support assertion with an empty allowCredentials list. Subtle difference I know but an argument could be made that the create operation is still valid. In any case this is something the Google folks are best positioned to answer. 

Sent from my iPhone

> On 11 Sep 2020, at 8:03 pm, Arian van Putten <notifications@github.com> wrote:
> @sbweeden the cited line was part of L1 too though See step 4 of https://www.w3.org/TR/webauthn/#op-make-cred
> If requireResidentKey is true and the authenticator cannot store a client-side-resident public key credential source, return an error code equivalent to "ConstraintError" and terminate the operation.
> —
> You are receiving this because you were mentioned.
> Reply to this email directly, view it on GitHub, or unsubscribe.

GitHub Notification of comment by sbweeden
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1457#issuecomment-691013409 using your GitHub account

Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Friday, 11 September 2020 10:23:18 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:41 UTC