W3C home > Mailing lists > Public > public-webauthn@w3.org > September 2020

Re: [webauthn] Regarding the issue of Credential ID exposure(13.5.6), from what perspective should RP compare RK and NRK and which should be adopted? (#1484)

From: John Bradley via GitHub <sysbot+gh@w3.org>
Date: Wed, 16 Sep 2020 02:05:56 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-693125112-1600221955-sysbot+gh@w3.org>
I agree in general about using an empty allow list, however there are some practical problems.

1) The Android platform authenticator doesn't support empty allow lists.
2) Most roaming authenticators have limited storage for resident credentials. 

Without getting at least issue 1 addressed it is hard for RP to rely on discoverable credentials. 

Sending an allow list works with 100% of the platforms and authenticators. 

It is a trade off for the moment. 

GitHub Notification of comment by ve7jtb
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1484#issuecomment-693125112 using your GitHub account

Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 16 September 2020 02:05:58 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 16 September 2020 02:05:59 UTC