Re: [webauthn] Regarding the issue of Credential ID exposure(13.5.6), from what perspective should RP compare RK and NRK and which should be adopted? (#1484) from John Bradley via GitHub on 2020-09-16 (public-webauthn@w3.org from September 2020)

From: John Bradley via GitHub <sysbot+gh@w3.org>
Date: Wed, 16 Sep 2020 02:05:56 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-693125112-1600221955-sysbot+gh@w3.org>

I agree in general about using an empty allow list, however there are some practical problems.

1) The Android platform authenticator doesn't support empty allow lists.
2) Most roaming authenticators have limited storage for resident credentials. 

Without getting at least issue 1 addressed it is hard for RP to rely on discoverable credentials. 

Sending an allow list works with 100% of the platforms and authenticators. 

It is a trade off for the moment. 

-- 
GitHub Notification of comment by ve7jtb
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1484#issuecomment-693125112 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 16 September 2020 02:05:58 UTC